Massive malvertising campaign leads to latest Flash Player zero-day exploit

It has been a tough beginning of the year for Adobe and a dangerous one for Adobe Flash Player users.

The recently discovered zero-day vulnerability (CVE-2015-0313) affecting the last existing version of the software is being actively exploited in the wild via the Hanjuan exploit kit.

According to Malwarebytes researchers, this flaw has been exploited as far back as December 9, 2014, and users are targeted via malicious ads shown on a number of high-profile sites, including dailymotion.com, theblaze.com, nydailynews.com, tagged.com, and many more.

The ultimate goal of the attackers is to install the Bedep Trojan on the victims’ machine. Bedep “zombifies” it, downloads additional malware, and performs advertising fraud routines.

In the meantime, according to the researcher Kafeine, an exploit for the CVE-2015-0311 Flash Player zero-day that has been recently patched by Adobe has been added to other exploit kits: Nuclear Pack, RIG, and Fiesta.

Cisco researchers have also tracked the actions of the crooks behind the Angler EK, and have discovered that the cybercriminals have compromised over 50 accounts of GoDaddy registrants. They have created subdomains redirecting to the EK on some 1,800 domains supervised by the holders of these accounts.

“There are enough of these domains that some of them are only seen once before being abandoned. None of the actual root domains appear to be compromised and are legitimately registered to owners,” the researchers pointed out.

“Our telemetry data points to another ~650 of these subdomains linked back to a single IP address, 176.103.144.48. The main distribution method is malvertising with the malicious advertisement pointing to an initial tier of compromised subdomains. These sites then redirect to another subdomain delivering landing page and exploitation,” they explained.

Users are advised to disable Flash Player until a fixed version is released this week (as announced by Adobe). I would add that now is a good time for them to reevaluate their need for the buggy software.