A relatively new exploit kit that borrows modules copied from the Metasploit Framework and exploits any older versions of Adobe Flash, Reader and, Silverlight the user may be using has begun to make the rounds.
Jaime Blasco, the director of AlienVault Labs dug deeper into kit, known as Archie, on the company’s blog yesterday.
First discovered by EmergingThreats in August, Archie is apparently one of the more basic exploit kits on the market.
“When the victim lands on the main page, Archie uses the PluginDetect Javascript library to extract information,” Blasco says, regarding Archie’s functionality.
In addition to Flash and Reader, the kit also checks victims’ machines to see if its running a 64-bit version of Internet Explorer.
If caught running an outdated version of Flash it will load one of two exploits, including CVE-2014-0497, a zero day that hackers used to deploy password-grabbing Trojans in China back in February. Hackers used the other Flash exploit the kit employs, CVE-2014-0515, in attacks against Syrians in April.
The IE vulnerability it checks for, CVE-2013-2551, is the same use-after-free memory corruption vulnerability that VUPEN dug up at Pwn2Own 2013.
The Silverlight vulnerability Archie exploits is an old one as well. Despite being patched in March 2013, the kit exploits a vulnerability, CVE-2013-0074, that targets Silverlight 5 and opens up systems running it up to remote code execution.
“Archie contains shellcode in different formats that is sent to the different exploit modules generated by Metasploit when it loads them,” Blasco wrote.
The shellcode then kickstarts a basic download and execute payload, which Blasco said comes from the same IP address as one being used for a .NET click fraud bot.
A bevy of new exploit kits have been circulating in the 10 or so months since authorities in Russia arrested Paunch, the Blackhole Exploit Kit’s creator. Blackhole and Cool, another Exploit Kit assumed to have been crafted by Paunch, dissolved soon after.
Malicious ads on Yahoo were found linking European users to one of those kits, Magnitude, in January while this summer, men’s lifestyle site AskMen.com was spotted directing users to the Nuclear Pack Exploit Kit.
Archie joins another exploit kit, Angler, in targeting Silverlight vulnerabilities. Silverlight, Microsoft’s app framework, is perhaps best known for powering media streaming services like Netflix. Java.com and TMZ.com were found sending users to sites peddling Angler last month.