Exploit kits are toolkits that are used to build malware components such as binaries and scripts. They automate the exploitation of client-side vulnerabilities, targeting browsers and programs.
These exploit kits provide an effective way for cybercriminals to distribute malware without the users consent. Among these kits, the Blackhole exploit kit is one of the most prevalent. Now another kit has gained the attention of the security research community. McAfee Labs has observed an increase in the use of the Red Kit exploit kit. The Red Kit targets vulnerabilities in applications such as Java and Adobe Reader.
Overview of an attack.
As shown in the preceding image, the infection starts when a user visits a compromised website, which contains the link to a Red Kit landing page. The link of the compromised web page may arrive via email as part of a spam campaign to lure the user into clicking the malicious link.
The landing page appears similar to that of Blackhole. It uses plug-in detection code (Version 0.7.7) to identify the version of the browser plug-ins installed in the system:
Plug-in detects Version 0.7.7.
We have observed that the Red Kit uses different URL patterns for its landing pages. Some of them follow:
A Red Kit landing page.
This exploit kit uses a unique URL pattern for downloading the .jar and .pdf files:
The payloads of the .jar and .pdf files are also downloaded from unique URL patterns:
The final payloads are identified as a downloader that delivers additional payloads from the remote server.
How to prevent this attack:
McAfee products detect these exploits as “JS/Exploit.Rekit.”