RedKit: a new private exploit kit spotted in the wild

Trustwave security researchers have spotted a new private exploit kit in the wild. The new kit has no official name, so the researchers dubbed it'Redkit' due to the red bordering used in the application's panel.

The developers promote the kit with a standard banner, the buyers are required to share their Jabber username by filling the online form hosted on a compromised site of some unsuspecting Christian church.

"Logging to the admin panel presents you with options which are typically used by other exploit kits.The panel allows you to check the statistics for incoming traffic, upload a payload executable and even scan this payload with no less than 37(!) different AV’s." Trustwave researchers said.

As each malicious URL gets blocked by most security firms after 24 to 48 hours, the Redkit's author have provide a new API which will produce a fresh URL every hour, so that customer of this exploit kit can now set up an automated process for updating the traffic sources every hour or so to point to the new URL.

The kit exploits two of the most popular vulnerabilities but the authors probably will add more exploits soon in order to catch up with the “industry leaders” such as BlackHole and Phoenix exploit kits.

The first exploit is a fairly obfuscated PDF file that exploits the LibTIFF vulnerability (CVE-2010-0188) and the second one is Java AtomicReferenceArray vulnerability (CVE-2012-0507).

Category: / /

Share this with Your friends: