Connect with us

Hi, what are you looking for?


Malware & Threats

Exploit Kits Mutate, Increase Activity: Report

Security researchers have observed an increase in exploit kit (EK) activity in the beginning of this year, coupled with a series of mutations, which include spreading more malware, Heimdal Security reports.

Security researchers have observed an increase in exploit kit (EK) activity in the beginning of this year, coupled with a series of mutations, which include spreading more malware, Heimdal Security reports.

In a recent blog post, the company’s Andra Zaharia explains that EKs such as Neutrino, RIG and Angler have registered a substantial spike in activity recently, and that they are currently focused on exploiting popular software such Adobe Flash Player, Reader, and Acrobat as their attack vectors.

The most recent campaign observed by Heimdal Security involves the Neutrino EK and was launched on January 5, 2016. In addition to targeting Adobe Flash Player vulnerabilities for distribution, the EK also uses Google Blackhat SEO poisoning and has started to spread new malware, including ransomware from the Kovter class and from the Cryptolocker 2 family.

According to the security firm, the campaign involves injecting malicious code into legitimate websites, which redirects victims to a selection of dedicated domains connected to new servers controlled by the attackers. The malicious payloads that Neutrino serves to its victims are located on these new servers, where a series of top-level .top domains are also hosted.

The cybercriminals behind this campaign are focused on exploiting outdated Adobe Flash Player installations to infect victims’ systems with ransomware. Furthermore, the payload delivery process appears to have improved, as it now includes various tests to determine whether the browser and Flash Player plugin are up to date and if a debugger is present in the memory.

In addition to determining the Flash Player version number, the EK also checks for PhantomJS, node.js or Rhino and mainly abuses the CVE-2015-7645 vulnerability in Flash Player plugin. The security flaw was added to the Angler and Nuclear EKs in early November, less than two weeks after Adobe released a patch for it, after learning that Russia-linked Pawn Storm threat group was exploiting it in attacks aimed at Foreign Affairs Ministries.

The security firm also observed an increase in the activity of Angler and RIG EKs, with the latter abusing known vulnerabilities in Adobe Flash, Adobe Reader, Adobe Acrobat and Silverlight and using Google Blackhat SEO poisoning to spread malware via drive-by attacks. The RIG campaign is main focused at infecting outdated Microsoft Windows PCs through serving malicious URLs in Google search results, Zaharia said.

Advertisement. Scroll to continue reading.

Some of the infected URLs analyzed by Heimdal Security were hosted on a server at the IP address 192.185.21 [.] 183, which is considered to be entirely harmful. According to the researchers, the server hosts not only drive-by exploit kits, but also tier-1 gateways to the C & C servers, phishing websites and other malicious content.

The EK delivers payloads that include an infostealer from the Pony family and the TofSee Trojan, the latter pointing to an IP address in Scandinavia. The RIG exploit version 3 has reached an infection success rate of 56 percent on Windows 7 PCs with Internet Explorer 9 mainly by exploiting the CVE-2015-5119 (CVSS Score: 10) and CVE-2015-5122 (CVSS Score: 10) vulnerabilities in Adobe Flash Player.

The CVE-2015-5119 zero-day leaked in early July after a hacker stole 400GB of data from the systems of surveillance software maker Hacking Team, and Adobe immediately patched it, though it was already exploited in the wild. The CVE-2015-5122 zero-day flaw was discovered one week later in the same leaked data, along with another zero-day, namely CVE-2015-5123.

To stay protected, users are advised to update their Flash Player installations as soon as possible and to ensure that all of their software is up to date at all times. Additionally, they should consider a multi-layered protection system, which increases the chances that security products can discover and prevent malware from infiltrating their systems.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.