Security Alert: Exploit Kits Activity Spikes, Targets Flash Player Mainly
Substantial increase in Neutrino, RIG and Angler activity threatens users
It seems that cyber criminals are well rested and have also gotten back to the “office”, because out team has spotted a substantial increase in exploit kit activity for Neutrino, RIG and Angler. Here’s what it’s all about:
Neutrino’s latest mutations: serving Kovter and Cryptolocker2
Our team at Heimdal Security has observed a very recent change in the servers that are abused by the Neutrino exploit kit. Among other malware, Neutrino now spreads ransomware from the Kovter class and ransomware from the Cryptolocker2 family. This new campaign also comes with added surreptitious tricks: Google Blackhat SEO poisoning and an immediate focus on using Flash Player vulnerabilities as a distribution vector. The campaign was just launched this morning and it has injected malicious script code into legitimate websites. When visiting these websites, the victim is moved to a selection of dedicated domains which connect to a series of new servers controlled by the attackers. These new servers are also the source of the malicious payload. Here is a selection of them: formaneb [.] top topcenta [.] top ayolopia [.] top nonetic [.] top topcentc [.] top liblinc [.] top topcenta [.] top nonetic [.] top jontimb [.] top jontimc [.] top knottib [.] top knottic [.] top ritkina [.] top ritkinb [.] top ritkinc [.] top temnika [.] top temnikb [.] top temnikc [.] top ayolopia [.] top diffiria [.] top diffirib [.] top diffiric [.] top formaneb [.] top formanea [.] top formanec [.] top When it comes to this particular campaign, Neutrino exploit kit focuses its capabilities to abuse outdated Adobe Flash Player installations. The final objective is to infect the victim’s PC with ransomware.
Here’s a quick overview of what’s new about the Neutrino exploit kit:
- The use of top-level .top domains
- An improved payload: the payload delivery process now includes a series of tests that can figure out if the browser and the Flash Player plugin are up to date; these tests can also detect if a debugger is present in memory
- These tests check for the Flash Player version number and for PhantomJS, node.js or Rhino.
The CVE-2015-7645 vulnerability in Flash Player plugin is mainly abused in this campaign to infect the victims’ PCs with ransomware. Antivirus detection of the payload is extremely limited, with 0 out of 51 solutions detecting the payload as being malicious: Click here for the full detection rates at the moment the campaign was announced.
The RIG exploit kit poisons Google search results with malicious links
On top of the campaign described above, our team at Heimdal Security has spotted additional spikes in activity from various exploit kits, like Angler and RIG. This is RIG’s third version, which is now systematically abusing known vulnerabilities in popular third-party applications like Adobe Flash, Adobe Reader, Adobe Acrobat and Silverlight to plant malware on outdated Microsoft Windows PCs. This RIG-serving campaign spread through drive-by attacks by using Google Blackhat SEO poisoning. Here are a few examples of parts of the infected URLs: Christmas-tree-pull-apart potential-kandidater-to-replace-ken-Whisenhunt-as-tennessee-titans-head-coach extra-credits-addressed-chinas-propaganda-game-sesame-credit Christmas-tree-pull-apart Capital-one behavioral-fit-interview-questions-3 This means that, when doing a simple Google search on how to easily remove the Christmas tree, a user can get results that point to the swarm of compromised websites where malicious script code is injected. We’ve already blocked a number of domains used in this campaign, including this small sample: domandvilma [.] com naughty hour books [.] com dynamic passwords [.] us The entire server at the IP address 192,185.21 [.] 183 is considered to be harmful. Besides drive-by exploit kits, this server also hosts tier-1 gateways to the C & C servers, phishing websites and other malicious content. The delivered payloads vary between an infostealer from the Pony family and the TofSee Trojan. The analysis of TofSee confirmed the payload dropped on the victims’ PCs, which are at an IP address in Scandinavia.
From our data, derived from having access to RIG exploit kit version 3 panels, we have observed that this payload achieves an infection success rate of 56% on Windows 7 PCs with Internet Explorer 9. The security issues lie particularly with Adobe Flash Player and, respectively, with vulnerabilities CVE-2015-5119 (CVSS Score: 10) and CVE-2015-5122 (CVSS Score: 10), which are wreaking havoc among Windows-based PCs. Antivirus detection of the current payload is low: 2/55 on VirusTotal. Click here for the full detection rates at the moment the campaign was announced.
Our recommendation is to immediately update your Flash Player installations and keep all your software up to date at all times. Also, make sure you’re using a multi-layered protection system, so other security products can help catch the attack before your antivirus products reacts. And if you want to ensure that you’re safe from exploit kits that constantly abuse outdated applications, you can use a solution that will automatically keep your most vulnerable apps up to date. This can close up to 85% of attack angles, according to US-CERT:
According to Homeland Security’s cyber-emergency unit, US-CERT, as many as 85% of all targeted attacks can be prevented by applying a security patch.