Cisco’s Nick Biasini said 1,800 domains have been compromised by Flash Zero Day exploit, and have been used by five IP addresses: 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, and 18.104.22.168.
“These domains are associated with the landing page and exploits,” Biasini said. “None of the actual root domains appear to be compromised and are legitimately registered to owners.”
The latest Angler/Flash campaign hit its peak Jan. 28 and 29 with almost 1,400 infections over that 48-hour period before tapering off two days later.
“There are enough of these domains that some of them are only seen once before being abandoned. The majority of the compromised domains are registered through GoDaddy and it appears that 50+ accounts have been compromised,” he said. “Many of these accounts control multiple domains with some controlling 45+ unique domains.”
Cisco published a small sample of sub-domains involved in these attacks that were registered to one domain, all of them resolving to one IP address, Biasini said. Another set of subdomains, he said, act as the initial redirection page. The attackers are using malicious online advertisements to serve the exploits, with those pointing to compromised subdomains. Those sites redirect to another subdomain that serves up a landing page and either Flash or Microsoft Silverlight exploits, also included in the Angler kit.
Most of the hashes have low detection rates, Cisco said.
“This is another example of how Angler Exploit Kit continues to differentiate itself. It changes and evolves on a constant basis producing new variation on the existing exploits as well as providing enough customization on the recent vulnerability (CVE-2015-0311) to effectively avoid reliable detection,” Biasini said. “If the first month of 2015 is any indication, the Angler Exploit Kit could have a big year.”
Kafeine spotted the Flash zero day exploit code in Angler on Jan. 20, and it was installing click-fraud malware known as Bedep, also installed by older versions of Angler. Further analysis by researchers at Websense revealed that the zero-day exploit could inject malicious payloads into users’ browsers. The exploit code was hidden among several layers of obfuscation in order to keep it from being detected.
Adobe released a patch for customers who had enabled auto-update for Flash on the desktop on Jan. 24 before releasing an out-of-band patch two days later. On Monday, another unrelated Flash zero day, the third in two weeks was patched in another emergency update.