Latest Flash 0Day Under Attack; Possible Ties to Group Behind Angler EK

The third Adobe Flash Player zero day in two weeks is also currently under attack. Researchers at Trustwave found an exploit for it in the HanJuan exploit kit, which could be tied to the group behind the Angler kit.

The little-known HanJuan exploit kit is delivering attacks targeting the most recent Adobe Flash Player zero-day vulnerability. Adobe has yet to produce a patch for the flaw, which researchers at Trustwave said is a use-after-free vulnerability.

The flaw is the third to hit Flash in the last two weeks; the previous two have been patched by Adobe. A request to Adobe for comment on a patch for this bug was not returned in time for publication.

Adobe confirmed the vulnerability on Monday affecting Flash version and earlier for Windows. The exploitation technique used against this vulnerability, CVE-2015-0313, is similar to another zero-day exploit being served up in the Angler exploit kit, leading Trustwave to surmise it could be the same group behind both vulnerability discoveries and exploits. That flaw was patched last week.

“The vulnerability is a use-after-free vulnerability caused by a bug in how Flash handles the FlashCC (previously Flash Alchemy) ‘fast memory access’ feature (domainMemory), when the last is used by flash Workers (Flash threads),” Trustwave said in its report published yesterday.

French researcher Kafeine, who found the Flash exploit in Angler, said there seems to be a strong connection between these exploits and the criminal gang behind Angler, which is also delivering Bedep click-fraud malware, and Reveton ransomware.

“Why you don’t hear that much about (HanJuan) is because the redirection chain has really strong filtering on the traffic to avoid most data centers (researchers using VPNs or virtual private servers to analyze malware and exploits),” Kafeine told Threatpost.

Kafeine said the payload delivery is “fileless” and uses similar encryption (Xtea) as the Angler exploit; the exploit is dropping Bedep click-fraud malware, similar to CVE-2015-0311, he added.

Both this exploit and the CVE-2013-0311 exploit gain access to memory using a heap spray technique, Trustwave said. Trustwave said it was able to reproduce an exploit in its lab, and shared that process in its report.

Researchers said the processes under attack support multi-threading in Flash, and the means in which data and objects are shared in memory. Within Flash, it is possible, Trustwave said, to access process memory using fast memory access, or ActionScript, which is achieved by setting memory data to a predefined ByteArray. Trustwave explained that if that ByteArray is freed by another thread, the domainMemory object will hold a pointer to freed memory.

“Such a condition is a security risk and is usually classified as a use-after-free vulnerability. Using the reference to a freed memory area, it is possible to use/access the heap memory block directly,” Trustwave said. “The exploit uses heap spraying to fill this freed memory with Vector Objects and corrupt the size of a given vector setting it to a very large size. This corrupted Vector will later be used to access the entire memory of the browser process and to gain code execution over the machine.”

Adobe on Monday posted an advisory on CVE-2015-0313, and said it was being exploited in drive-by downloads and malvertising attacks. Some big sites were delivering malicious ads redirecting to the exploits, including DailyMotion, Wowhead,, and Engage:BDR, among others. Adobe said attackers’ exploits were targeting Windows 8.1 computers and below running Internet Explorer or Firefox.

This announcement came on the heels of two other warnings from Adobe regarding zero days in Flash. The more serious of the two was being delivered by the Angler Exploit Kit, and was discovered by Kafeine. That exploit used multiple layers of obfuscation to hide the exploit from detection.

Suggested articles