Exploit Kits Target Recent Flash, Internet Explorer Zero-Days
Exploit kits (EKs) might not be as dominant as they were several years ago, but they continue to exist and most of them already adopted exploits for recently discovered Flash and Internet Explorer zero-day vulnerabilities.
The first of the flaws is CVE-2018-4878, a security bug in Adobe’s Flash Player discovered in late January, when it was exploited by a North Korean hacker group in attacks aimed at individuals in South Korea. Adobe released a patch within a week after the bug became public, but it continued to be targeted in numerous other attacks.
The second is CVE-2018-8174, a critical issue that allows attackers to remotely execute arbitrary code on all supported versions of Windows, and which was addressed with the May 2018 Patch Tuesday updates. The bug is an update to a 2-year-old VBScript vulnerability (CVE-2016-0189) that continues to be abused in attacks.
The recently patched Flash Player zero-day tracked as CVE-2018-5002, which has been exploited in targeted attacks, has yet to be added to EKs.
“Since both Flash and the VBScript engine are pieces of software that can be leveraged for web-based attacks, it was only natural to see their integration into exploit kits,” Malwarebytes points out.
Within days after a proof of concept became publicly available, RIG adopted the exploit for the new VBScript engine flaw, becoming the first EK to do so. The toolkit also added an exploit for said Flash bug, and was observed pushing payloads such as Bunitu, Ursnif, and the SmokeLoader backdoor.
Magnitude continues to focus on South Korea and is now targeting both CVE-2018-4878 and CVE-2018-8174. The toolkit is considered one of the most sophisticated EKs on the market, courtesy of its own Magnigate filtering, a Base64-encoded landing page, and fileless payload.
Another active EK is GreenFlash Sundown. Rather elusive in nature, it “continues to strike via compromised OpenX ad servers” and now targets CVE-2018-4878 too. Usually delivering the Hermes ransomware, it was recently observed serving a cryptocurrency miner.
The GrandSoft EK, which only targets Internet Explorer and also appears in smaller distribution campaigns, is still relying on the older CVE-2016 -0189 Internet Explorer exploit. Lacking the obfuscation EK landing pages usually feature, the toolkit was observed delivering payloads such as the AZORult stealer.
“There is no doubt that the recent influx of zero-days has given exploit kits a much-needed boost. We did notice an increase in RIG EK campaigns, which probably resulted in higher than usual successful loads for its operators. While attackers are concentrating on Microsoft Office–related exploits, we are observing a cascading effect into exploit kits,” Malwarebytes concludes.