Flash Zero-Day Serves Up En Masse Ransomware

Written by

A fresh, unpatched zero-day vulnerability in Adobe Flash Player is being exploited by the Angler exploit kit, making for widespread targeting. To boot, it is dropping a trojan downloader called Bedep, which has now achieved a persistent form and is being used to serve up ransomware.

“Any version of Internet Explorer or Firefox with any version of Windows will get owned if Flash up to (included) is installed and enabled,” said independent tester Kafeine, who first discovered the issue, in the Malware Don’t Need Coffee blog.

The Bedep payload was originally spotted in September of 2014, but it wasn’t persistent at the time. Now it is, and is being used to commit ad fraud in addition to loading additional malware, often  ransomware baddies CryptoLocker or Critroni.

“This family is the child of the group behind Angler EK and Reveton, and is fast replacing Reveton in many distribution paths,” Kafeine noted. “We have seen this ransomware-from-ad-fraud transition with Kovter as well, where some do ransomware-from-banking [trojan].”

So far the exploit affects the latest version of Flash Player, and illustrates what Websense calls an increasing trend of exploit kits shifting from Java, Internet Explorer and PDF exploits in favor of the more successful Flash and Silverlight exploits.

“Malware authors are bringing their proven formula into 2015. What better way to establish a foothold in numerous organizations than by hitting businesses in their popular applications,” said Carl Leonard, principal security analyst at Websense, in an email. “This is why companies need defense in depth, with protection across all stages of the kill chain. Most importantly, data theft prevention is so important because it's the final stage, and the most dangerous. Left exposed, it opens the door to the bad guys and gives them access to the company's most valuable secrets.”

The zero-day is effectively opening an unguarded window into PCs worldwide, according to Pedro Bustamante, director of special projects at Malwarebytes.

“The fact that it has seemingly been integrated into the Angler exploit kit shows that criminals are keen to use it to target people and businesses en-masse,” he told Infosecurity. “Using a delivery mechanism such as Angler increases the chance of successful infections, allowing for accurate attacks through infected adverts on high-traffic websites.”

As the company explained in its blog on what makes exploit kits so dangerous, web denizens can be infected by doing “nothing more than reading a news website or browsing for some online shopping. They haven’t clicked a bad link, visited a risky website or installed anything strange. However, next thing they know their credit card details have been stolen, Facebook account hijacked or the pictures on their laptop are being held to ransom.”

An immediate (and simple) short-term fix to avoid such a scenario is to disable Flash Player in web browsers until Adobe releases a patch. 

What’s hot on Infosecurity Magazine?