14 DAY TRIAL // Cybercriminals working with attack tools targeting outdated versions of Flash Player devised an exploit for a vulnerability fixed by Adobe earlier this month, which raises some serious security concerns.
Adobe dropped the fix in Flash Player 17.0.0.188 on May 12, and last week exploit code added to Angler exploit kit was seen in the wild by security researchers in malvertising operations.
Bedep Trojan is one of the payloads
The flaw leveraged by the attackers is tracked as CVE-2015-3090, and it is a memory corruption that leads to code execution on the affected machine. Security researchers at FireEye say that the issue involves a race condition in the shader class.
Systems with unpatched versions of Flash receive the final payload via drive-by attacks, which are completely invisible to the user and occur when visiting a website containing code that redirects to a machine hosting the exploit kit.
The malicious code is planted on a website either via a direct hack or through an advertisement delivered by an ad network.
FireEye researchers observed a malvertising operation leveraging CVE-2015-3090 to deliver Bedep Trojan, a piece of malware used for click-fraud activities.
Multiple threats are downloaded on compromised systems
However, it appears that once the system, apart from ad-fraud actions Bedep, also starts an infection cycle that ends with funneling in additional malware.
It makes a large number of requests to rogue ad networks that redirect to malicious hosts that forward the connection to a server with an exploit kit (Angler, Magnitude, Nuclear and Rig).
“Requests to the rogue ad networks will have a specific Bedep referrer. From there, a wild maze of redirection takes place, bouncing the browser from domain to domain until the final destination is reached,” the researchers explain in a blog post on Tuesday.
In the case of Angler, one of the redirects was received from a fake news website with the string “news4news” in the domain name.
Researchers identified more than 220 IP addresses being used for redirections by sub-domains with the "click2" prefix.
FireEye says that the trail of redirection and nefarious referrers all lead to the 199.212.255 network and that the current operation is very active, relying on malvertising for payload delivery.
Users are highly recommended to update their Flash Player browser plugin, an action that would thwart efforts from malicious actors to make more victims.