Red Kit an Emerging Exploit Pack

Exploit kits are toolkits that are used to build malware components such as binaries and scripts. They automate the exploitation of client-side vulnerabilities, targeting browsers and programs.

These exploit kits provide an effective way for cybercriminals to distribute malware without the users consent. Among these kits, the Blackhole exploit kit is one of the most prevalent. Now another kit has gained the attention of the security research community. McAfee Labs has observed an increase in the use of the Red Kit exploit kit. The Red Kit targets vulnerabilities in applications such as Java and Adobe Reader.

overview

Overview of an attack.

As shown in the preceding image, the infection starts when a user visits a compromised website, which contains the link to a Red Kit landing page. The link of the compromised web page may arrive via email as part of a spam campaign to lure the user into clicking the malicious link.

irame

Redirector.

The landing page appears similar to that of Blackhole. It uses plug-in detection code (Version 0.7.7) to identify the version of the browser plug-ins installed in the system:

plugin

Plug-in detects Version 0.7.7.

We have observed that the Red Kit uses different URL patterns for its landing pages. Some of them follow:

  • hxxp://[domain name]/ewci.htm
  • hxxp:// [domain name]/hmod.html
  • hxxp:// [domain name]/mhes.html
  • hxxp:// [domain name]/hmpu.html
  • hxxp:// [domain name]/asjs.html
  • hxxp:// [domain name]/aces.htm
  • hxxp:// [domain name]/aoef.htm

Also, the landing page has the code to download malicious .jar and .pdf files. These files target the vulnerabilities CVE 2012-1723 and CVE 2010-0188.

main1

A Red Kit landing page.

This exploit kit uses a unique URL pattern for downloading the .jar and .pdf files:

  • hxxp://[domain name]/332.jar
  • hxxp://[domain name]/887.jar
  • hxxp://[domain name]/987.pdf

The payloads of the .jar and .pdf files are also downloaded from unique URL patterns:

  • “332.jar”  downloads payload from  “hxxp://[domain name]/33.html”
  • “887.jar”  downloads payload from  “hxxp://[domain name]/41.html”
  • “987.pdf” downloads payload from  “hxxp://[domain name]/62.html”

The final payloads are identified as a downloader that delivers additional payloads from the remote server.

How to prevent this attack:

  • Blocking the URL patterns we have noted is one efficient way to prevent this attack. However, the landing page URL patterns are constantly changing. Nonetheless, the payload URL patterns have remained the same for all malicious domains we have seen.
  • In spite of the availability of patches for known vulnerabilities such as CVE2012-1723 and CVE2010-0188, this exploit kit still targets these vulnerabilities. McAfee recommends that you update to the latest patches available for Java and Adobe Reader.
  • We advise our customers to pay extra caution when opening unsolicited emails and unknown links.

McAfee products detect these exploits as “JS/Exploit.Rekit.”