Just days after the developers of the Angler exploit kit started leveraging a recently patched Flash Player vulnerability to distribute malware, an exploit for the same security bug was also added to the Magnitude, Neutrino and Nuclear Pack exploit kits.
FireEye and the French researcher known as Kafeine noticed last week that an exploit for the memory corruption (CVE-2015-3090) vulnerability discovered by Chris Evans of Google Project Zero was added to Angler. The exploit was included on May 26, just two weeks after Adobe patched the flaw with the release of Flash Player 220.127.116.11.
On May 29, Kafeine reported that an exploit for the same vulnerability was also added to Nuclear Pack and Magnitude. On Monday, June 1, the researcher noticed that the flaw had also been exploited by the Neutrino exploit kit.
In the instances observed by Kafeine, Nuclear Pack and Neutrino were exploiting the flaw to push a variant of the Andromeda malware. Magnitude had been using it to deliver the notorious CryptoWall ransomware, the expert said in a blog post.
It’s unclear how the developers of all these exploit kits obtained the exploit for this particular Flash Player vulnerability, but there are several possibilities. Some of them are known to buy exploits from other exploit kit authors, Kafeine told SecurityWeek.
The authors of different exploit kits are usually in competition with each other so they don’t usually share exploits, explained Yonathan Klijnsma, a Fox-IT threat intelligence analyst who often analyzes exploit kits in his spare time.
“What usually happens is that they get samples from each others’ exploit kit and take it apart, reverse it if you will. After reversing it they implement it for their own kit. There’s clear examples documented by Kafeine also on cases where bad copy/paste jobs by authors broke their infection chain because the exploit became unstable/non-functional,” Klijnsma told SecurityWeek.
When an exploit for a recently fixed vulnerability is first added to an exploit kit, in most cases the developers create the exploit by reverse engineering the patch, said Klijnsma.
The Angler exploit kit has made numerous headlines over the past period because its developers have used exploits for Flash Player zero-day vulnerabilities.
“In instances where Angler runs with 0day exploits it usually means either of two things: they have a skilled RE in their team or they have the budget to buy these exploits from the market,” Klijnsma noted. “There are documented cases of certain actors announcing their ‘spending budget’ to exploit creators saying ‘hey I can buy your goods, show me something’.”
In a blog post published last week, researchers at Palo Alto Networks noted that exploit kit authors previously focused on out-of-bounds access (OBA) vulnerabilities in Flash Player because they are easier to exploit. However, they have increasingly started leveraging use-after-free (UAF) vulnerabilities, which are a type of memory corruption flaw.
The security firm spotted recently patched Adobe Flash Player UAF vulnerabilities such as CVE-2015-0311, CVE-2015-0313 and CVE-2015-0359 being added to various exploit kits, including Flash EK, Sweet Orange, Fiesta, Angler and Neutrino.
“Due to certain features in Adobe Flash, specifically the ability for alchemy opcodes (such as op_li32/op_si32) to directly access memory within a ByteArray, use-after-free vulnerabilities are just as easy to exploit as out-of-bounds vulnerabilities,” Palo Alto Networks wrote in a blog post. “It appears that the authors of exploit kits agree with this, as they continue to add new Flash UAF vulnerabilities to their arsenal. As such, we can anticipate Flash vulnerabilities will continue to be exploited by exploit kits well into the future.”