The developers of the notorious Angler exploit kit are very good at integrating recently patched or zero-day vulnerabilities. Researchers reported on Monday that the cybercriminals have already added an exploit for a Flash Player flaw fixed by Adobe just two weeks ago.
According to FireEye, the security bug in question is a memory corruption (CVE-2015-3090) vulnerability discovered and reported by Chris Evans of Google Project Zero. The flaw was patched by Adobe on May 11 with the release of Flash Player 17.0.0.188.
At the time when it released the update, Adobe didn’t seem to be aware of any attacks in which the vulnerabilities fixed in Flash Player 17.0.0.188 had been exploited. FireEye says it has now notified Adobe and provided the company access to the exploit.
“The exploit for CVE-2015-3090 involves a race condition in the shader class, in which asynchronously modifying the width/height of a shader object while starting a shader job will result in a memory corruption vulnerability. Angler uses this to execute arbitrary code and infect unpatched users’ systems,” FireEye noted in a blog post.
The French security researcher known as Kafeine has confirmed that an exploit for CVE-2015-3090 has been added to Angler. The expert noted that a fileless thread is used to push Bedep malware and an ad fraud module onto infected systems. It’s not uncommon for the Angler exploit kit to deliver Bedep through Flash Player vulnerabilities, including zero-days.
FireEye published on Monday a detailed analysis of this Bedep attack. According to experts, this is a highly active malvertising operation that involves not just Angler, but several other popular exploit kits as well, including RIG, Magnitude, and Nuclear.
Once it’s infected with the Bedep Trojan, a computer silently engages in ad fraud activity, making a high volume of requests to rogue ad networks. These networks eventually take victims to a host designed to redirect them to the exploit kit. The exploit kit then re-infects the system with malware and the process is repeated, FireEye said.
In addition to the fast integration of exploits, Angler made numerous headlines over the past period thanks to its innovative features. The list includes fileless infections, the use of domain shadowing to evade detection, and breaking the referer chain in malvertising campaigns to make tracking more difficult.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Verizon 2023 DBIR: Human Error Involved in Many Breaches, Ransomware Cost Surges
- Google Patches Third Chrome Zero-Day of 2023
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
Latest News
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Apple Unveils Upcoming Privacy and Security Features
- Verizon 2023 DBIR: Human Error Involved in Many Breaches, Ransomware Cost Surges
- Google Patches Third Chrome Zero-Day of 2023
- Dozens of Malicious Extensions Found in Chrome Web Store
- What if the Current AI Hype Is a Dead End?
- Microsoft Makes SMB Signing Default Requirement in Windows 11 to Boost Security
- Zyxel Urges Customers to Patch Firewalls Against Exploited Vulnerabilities
