New Exploits for the latest Adobe Flash Player zero-day vulnerability have been integrated into the Angler, Neutrino and Magnitude exploit kits, which are leading compromised computers to different ransomware strains, banking malware, and a credential-stealing Trojan.
According to a French researcher who goes by the handle Kafeine, Neutrino has embedded a working exploit for CVE-2016-4117 while Magnitude has not fully implemented the exploit.
In addition, Kafeine said that the Angler Exploit Kit has now integrated the same Flash zero day exploit. Nevertheless, the Angler exploits are dropping the Dridex banking Trojan. At first, Dridex has spread in spam and phishing emails, and used malicious macros embedded in Office documents to download the Trojan.
Kafeine also explained that Magnitude is firing exploits for Flash Player up to version 220.127.116.11, however, the payloads are not executing, despite the presence of references to the vulnerable code. According to Kafeine, it could be that the exploit was not implemented correctly as the payloads were not working.
The Flash Player type-confusion zero-day vulnerability was patched on May 12 in an emergency update. The FireEye researchers were aware of the existence of exploits for the flaw on May 8, which Adobe patched in short order.
Kafeine statated that in different passes with the exploit kit, he saw infection payloads that included CryptXXX, Cerber and DMA Locker ransomware, as well as the Gootkit Trojan.
Besides, Gootkit has also been integrated into the Angler Exploit Kit. According to the Cyphort experts, the malvertising attacks were redirecting victims to Angler, which then downloads Bedep click-fraud malware and the Gootkit loader. At first, Gootkit used primarily to steal online banking credentials, however, currently it is loaded into memory and leaves no files on the victims’ computers.
FireEye published details on the attacks it discovered and privately disclosed to Adobe. According to the researchers, the exploits were embedded in Office documents hosted on the attackers site, and a dynamic DNS domain was used to reference the document and payload. This allowed the hackers to spread via URL or email attachments.
The experts also said that the attacks worked against machines running Flash 18.104.22.168 and above. Besides, the exploits run shellcode, which downloads and executes a second shellcode that downloads and executes the malware and displays a decoy document to the victim. The malware also opens a backdoor and is capable of receiving new commands from the attackers.
In the meantime, the Magnitude EK has been pushing Cerber ransomware almost exclusively.
The Proofpoint experts discovered a previous Adobe Flash zero day a month earlier was integrated into Magnitude and Nuclear exploit kits. Nuclear was moving Locky ransomware onto victims’ machines, while Locky was blamed for a number of high-profile infections at hospitals nationwide. At the same time, Cerber together with CryptXXX, have been climbing the ranks of ransomware.