A new exploit kit is looking to take market share away from the BlackHole and Phoenix exploit kits.

This new kit has no official name, so researchers called it RedKit due to the red coloring scheme of its administration panel, Trustwave officials said.

Using Malware for Recon Work
Russian Cybercrime Consolidates, Grows
Spammers: It Just Keeps Working
Rogue AV Lets Victims do Dirty Work

RedKit’s creators decided to promote it by using banners, and potential buyers are required to share their Jabber username by inputting it into an online form hosted on a compromised site.

Equipped with this piece of information, the developers are the ones who contact the buyers and provide them with a demo account so they can check the software out.

Schneider Bold

The admin panel looks pretty much as any other, and offers the usual things: Statistics for incoming traffic, the option to upload a payload executable and scan it with 37 different AVs.

As each malicious URL ends up blocked by most security firms in the first 24 to 48 hours, the exploit kit developers also provide an API which produces a fresh URL every hour, so customers can set up an automated process for updating the traffic sources every hour or so to point to the new URL.

“This basically means that people behind this project have invested considerable amount of resources and reserved a big batch of domains to use over a period of time,” the researchers said.

To deliver the malware, RedKit exploits two popular bugs: The Adobe Acrobat and Reader LibTIFF vulnerability (CVE-2010-0188) and the Java AtomicReferenceArray vulnerability (CVE-2012-0507), used by the attacker behind the massive Flashback infection.

Pin It on Pinterest

Share This