• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Bad Sites   »   Freshly Patched Flash Exploit Added to Nuclear Exploit Kit

Freshly Patched Flash Exploit Added to Nuclear Exploit Kit

  • Posted on:March 20, 2015 at 6:58 am
  • Posted in:Bad Sites, Exploits, Malware
  • Author:
    Peter Pi (Threats Analyst)
0

We have detected through feedback from the Trend Micro™ Smart Protection Network™ that the Nuclear Exploit Kit has been updated to include the recently fixed Adobe Flash Player vulnerability identified as CVE-2015-0336. We first saw signs of this malicious activity on March 18 this year.

This particular vulnerability was only recently fixed as part of Adobe’s regular March update for Adobe Flash Player which upgraded the software to version 17.0.0.134. However, our feedback indicates that many users are still running the previous version (16.0.0.305). (We recommend that users stay up-to-date with the latest Flash Player version, and this incident is an excellent reminder of why.) We noted earlier this month that Flash Player was being targeted more frequently by exploit kits, and that pattern shows no sign of changing soon.

This exploit, detected as SWF_EXPLOIT.OJF, is being distributed to users via compromised websites, including one for an Internet Explorer repair tool and various Japanese pornographic sites. Users are directed to landing page located at hxxp://_ibalinkmedia[.]com/S0ldSAZRTlpQVV8MXFhfUVcMUx1RW14.html; this loads the Flash exploit located at hxxp://_ibalinkmedia[.]com/V0tCSEofXU8HAE9UCgBOXVEEXlpcX14AVlpTGlAKX08ABgNLBwAcAA

BLAQJOBQdXBAQDBgNWA09UWAE.

We believe that this is the Nuclear Exploit Kit for two reasons: first, the style of the URLs listed above is consistent with previous Nuclear attacks. Secondly, the content of the landing page is also consistent with the Nuclear Exploit Kit:

Figure 1. HTML code of landing page

Our feedback information shows that more than 8,700 users have visited the above URLs. More than 90% of these victims are from Japan.

Figure 2. Distribution of would-be victims by country

Trend Micro is already able to protect users against this threat. The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be used to detect this threat by its behavior without any engine or pattern updates.  The Browser Exploit Prevention feature in our endpoint products such as Trend Micro™ Security, OfficeScan, and Worry-Free Business Security blocks the exploit once the user accesses the URL it is hosted in. Browser Exploit Prevention protects against exploits that target browsers or related plugins.

The SHA1 of the malicious Adobe Flash exploit is:

  • d2bbb2b0075e81bfd0377b6cf3805f32b61a922e
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: adobe flashExploitnuclear exploit kit

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.