This article is more than 1 year old

Exploit kits throw Flash bash party, invite Crypt0l0cker, spam bots

Evilware rivals race to exploit the flaws stoopid folks don't fix

Criminals behind some of the most potent exploit kits, Neutrino and RIG, are ramping up attacks slinging the latest ransomware and hosing users who have not applied recent Adobe Flash patches.

The patched vulnerabilities permit code execution and allow the dangerous hacking kits to compromise user machines.

The two above-mentioned exploit kits jostle for top spot on the evilware charts, with speedy exploitation of Flash vulnerabilities giving one the edge over the other. Damage inflicted to industry also counts for plenty, while interest from authorities isn't good for business.

Neutrino is now slinging the revamped Cryptolocker 2 (or crypt0l0cker as it is known by criminals) ransomware and variants of the Kovter malware family exploiting Flash (CVE-2015-7645) to hit user machines.

"The campaign was just launched this morning and it has injected malicious script code into legitimate websites," Heimdal security bod Andra Zaharia says.

"This new campaign also comes with added surreptitious tricks: Google Blackhat SEO (search engine optimisation) poisoning and an immediate focus on using Flash Player vulnerabilities as a distribution vector."

The exploit kit can now determine if browsers and Flash player installs are vulnerable, and is flying below antivirus detection.

Competitor RIG is targeting Adobe titles including Flash, Reader, and Acrobat, along with Microsoft Silverlight, with its third iteration spreading through Google SEO poisoning.

More than half of Windows 7 PCs running Internet Explorer 9 are p0wned when encountering RIG notably with two Flash vulnerabilities ( CVE-2015-5122 , CVE-2015-5119).

Cisco researchers also found a new RIG campaign finding it is compromising hundreds rather than thousands of victims normally popped in big exploit kit attacks.

Researcher Nick Biasini says it is reverting to delivering old school spam bot trojans rather than new wave ransomware.

Cisco approached an implicated hosting provider Eurobyte and subsequently banned its IP address subnet after it did not respond to requests to take down the RIG infrastructure.

Angler, broadly regarded as the foremost among exploit kit menaces, has been on a "temporary vacation" since the end of last year, Biasini says. ®

More about


Send us news

Other stories you might like