Visualizing RedKit Exploits

Posted: 9th January 2014
Visualizing RedKit Exploits

The private but popular RedKit exploit kit appears to be experiencing a resurgence based on a report by Kahu Security. Initially spotted back in May 2012, the exploit kit drew attention after cybercriminals used it in drive-by-download attacks from NBC’s compromised website in January 2013 and spam campaigns immediately after the Boston Marathon bombings.

These attacks featured iframes on the compromised websites performing simultaneous actions when rendered in a victim’s web browser. The exploit kit competes against and leverages some of the same exploits as CritXPack, Gong Da, Nuclear Pack, Cool, and Blackhole 2.0. Monitoring developments and adoption of RedKit may be of particular interest given the recent arrest in Russia of Blackhole’s creator.

Cybercriminals have compromised several high profile sites including but not limited to NBC assets and the Segway website to carry out their operations with RedKit. Security experts have also reported pharmaceutical sites and Japanese commercial channels as hosts for RedKit EK servers.

Here’s a more detailed look at addition of RedKit of exploits for specific vulnerabilities, some of which was already very nicely detailed by Malwaggedon, as well as the malware being dropped on successful exploitation and other exploit kits with which it has been partnered:

RedKit EK initially included two exploits – targeting CVE-2010-0188 (Adobe Acrobat and Reader LibTIFF) and CVE-2012-0507 (Java AtomicReferenceArray) – before expanding to include at least nine different exploits. The most recent additions – targeting CVE-2013-0431 and CVE-2013-1493 – were observed in the compromise of Segway’s website.

What’s an example of RedKit in action? On April 16, the Kelihos and Cutwail botnets began sending out spam with subject lines related to the Boston bombing. The emails referred recipients to a site that would compromise their systems via the RedKit exploit kit and install bot software as well as the ZeroAccess trojan used to mine Bitcoin.

Monitor Exploit Developments

Out of the above information discovery conducted using Recorded Future, we put together a list of the nine vulnerabilities, most of them related to Java, exploited by RedKit and set up a monitoring dashboard that displays recently discussed technical details.

Reach out to us at Recorded Future if you’d be interested in real-time alerts on these or related issues, and please also drop by the Naked Security blog by Sophos that has provided two in-depth blog posts on RedKit.