A fresh attack leveraging the most recently discovered Flash zero-day has been discovered, which has a twist: the perpetrators are not using an exploit kit (EK).
Malwarebytes Labs’ senior security researcher, Jerome Segura, has found that the DirectRev ad network is hosting a rogue ad directly on its server, which in turn leads to the Flash exploit. It selectively avoids VPNs and other aggregation technologies, to only target genuine IP addresses. The payload is Kovter, an ad fraud Trojan.
The ad is booby-trapped in such a way that it silently loads an external URL when a site visitor comes along—a generally unacceptable practice when it comes to online advertising.
“We can clearly see how the malicious actor crafted the URL by using a very basic regular expression to slightly bypass security scanners looking for a URL pattern,” Segura said in a blog post. As with most attacks via malvertising, the exploit code is only served once per IP address, and some geolocation checks are performed to make sure the user is genuine and not hiding behind a VPN.
This is not the first time that a Flash exploit has been delivered without using an EK, but it remains a rare occurrence, Segura pointed out.
‘The benefits of doing that is that it's very streamlined and lightweight—and much harder to detect by security scanners since there's no landing page or other artifacts as are typically present with exploit kits,” he explained.
Malwarebytes said that so far, only about a dozen websites were affected. And, DirectRev said that it has now closed this particular campaign and that it will flush the rogue ad from its CDN.
But, on a related and important note, Malwarebytes found that the zero-day has driven a surge in drive-by download attacks overall since its discovery, because many end users have not yet patched their machines.