Exploit for Flash Zero Day Appears in Angler Exploit Kit

The dangerous Angler exploit kit has a new piece of ammunition to use in its attacks: a fresh Adobe Flash zero-day vulnerability.

The dangerous Angler exploit kit has a new piece of ammunition to use in its attacks: a fresh Adobe Flash zero-day vulnerability. The kit is exploiting the previously unknown vulnerability in several versions of Internet Explorer running on Windows 7 and Windows 8.

French security researcher Kafeine has spotted a version of the Angler kit that’s firing exploits for several vulnerabilities in Flash, including two known bugs. But the big problem is that the kit also has exploit code for what appears to be a zero-day in the latest version of Flash, version 16.0.0.257.  Kafeine said that he first spotted the exploit for the zero-day in Flash on Wednesday and that it is being used to install a piece of malware known as Bedep.

Older versions of Angler have been seen installing Bedep in the past. The malware is used for ad fraud operations, and has been used by Angler in what Kafeine calls “fileless” infections of targeted machines.

The researcher said that not all instances of Angler are using the new Flash zero-day exploit, nor is it being used against all of the popular browsers. In his tests, Kafeine found that IE 10 on Windows 8, IE 8 on Windows 7 and IE 6-9 on Windows XP all are being exploited. Chrome is not being targeted and fully patched Windows 8.1 is not exploitable, he said.

Kafeine has not published the MD5 of the new exploit yet, but he said users may want to take precautions until Adobe has a fix available for the vulnerability.

“Disabling Flash player for some days might be a good idea,” he said.

An Adobe spokesman said that the company is aware of the report and is investigating it.

The crew behind Angler seems to have a special affinity for Flash exploits. The kit often has exploits for freshly patched Flash vulnerabilities within days of Adobe publishing fixes.

 

Suggested articles

Discussion

  • Kaspersky user on

    Does KAV or KIS home protect against this? What about Corporate KAV?
    • Anonymous on

      We are an editorially independent news site. As such, we aren't equipped to answer these sorts of questions. However, I did see this on Twitter: https://twitter.com/assolini/status/557997067138650113
      • Kurt Baumgartner on

        yeah, or this: "concerned about the angler flash 0day? no need if you have AEP. heck, you don't need to be if it just looks like our product is installed." https://twitter.com/k_sec/status/557985982763380737

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.