Three Exploit Kits Spreading Attacks for Recent Flash Player Zero Day

The Angler Exploit Kit is exploiting the latest Flash zero day and is moving Dridex banking malware. The Magnitude and Neutrino exploit kits have also integrated the 0day.

Update Exploits for the most recent Adobe Flash Player zero-day vulnerability have been integrated into the Angler, Neutrino and Magnitude exploit kits, and are leading compromised computers to different ransomware strains, banking malware, and a credential-stealing Trojan.

A French researcher who goes by the handle Kafeine told Threatpost that Neutrino has embedded a working exploit for CVE-2016-4117 while Magnitude has not fully implemented the exploit.

Kafeine this morning also confirmed that the Angler Exploit Kit has now integrated the same Flash zero day exploit. The Angler exploits, however, are dropping the Dridex banking Trojan. Dridex has primarily spread in spam and phishing emails, and used malicious macros embedded in Office documents to download the Trojan.

Kafeine said that Magnitude is firing exploits for Flash Player up to version, but the payloads are not executing, despite the presence of references to the vulnerable code. It could be that the exploit was not implemented correctly; Kafeine said that as of this morning the payloads were not working.

Detection rates on VirusTotal for the Neutrino exploit remains low, only five of 56 as of this morning.

The Flash Player type-confusion zero-day vulnerability was patched on May 12 in an emergency update. Researchers at FireEye said they were aware of the existence of exploits for the flaw on May 8, which Adobe patched in short order.

Kafeine said today that in different passes with the exploit kit, he saw infection payloads that included CryptXXX, Cerber and DMA Locker ransomware, as well as the Gootkit Trojan.

Gootkit has also been integrated into the Angler Exploit Kit. Researchers at Cyphort said malvertising attacks were redirecting victims to Angler, which then downloads Bedep click-fraud malware and the Gootkit loader. Gootkit, which used primarily to steal online banking credentials, is loaded into memory and leaves no files on the victims’ machines.

One day after the emergency Flash update, FireEye published details on the attacks it discovered and privately disclosed to Adobe. In its report, FireEye said exploits were embedded in Office documents hosted on the attackers site, and a dynamic DNS domain was used to reference the document and payload. This allowed the attacks to spread via URL or email attachments.

FireEye said that the attacks worked against machines running Flash and above; the exploits run shellcode, which downloads and executes a second shellcode that downloads and executes the malware and displays a decoy document to the victim. The malware also opens a backdoor and is capable of receiving new commands from the attackers.

The Magnitude EK, meanwhile, has been pushing Cerber ransomware almost exclusively. Researchers at Proofpoint discovered a previous Adobe Flash zero day a month earlier was integrated into Magnitude and Nuclear exploit kits. Nuclear was moving Locky ransomware onto victims’ machines; Locky was blamed for a number of high-profile infections at hospitals nationwide.

Cerber has been climbing the ranks of ransomware—along with CryptXXX—after FireEye said attackers have leveraging the same spam infrastructure used to spread the dangerous Dridex banking malware. Cerber has an annoying feature in which it uses text-to-speech technology to audibly read its ransom note to its victims.

This article was updated May 23 to reflect the addition of the Flash zero day into the Angler Exploit Kit. 

Suggested articles