RedKit exploit kit spotted in the wild

A new exploit kit that Trustwave researchers have spotted being used in the wild is aiming to enter a market that is practically monopolized by the widely famous BlackHole and Phoenix exploit kits.

This new kit has no official name, so the researchers dubbed it RedKit due to the red coloring scheme of its administration panel.

RedKit’s creators decided to promote it by using banners, and potential buyers are required to share their Jabber username by inputing it into an online form hosted on a compromised site of a Christian church.

Equipped with this piece of information, the developers are the ones who contact the buyers and provide them with a demo account so that they can check the software out.

The admin panel looks pretty much as any other, and offers the usual things: statistics for incoming traffic, the option to upload a payload executable and scan it with 37 different AVs (click on the screenshot to enlarge it):

As each malicious URL gets blocked by most security firms in the first 24 to 48 hours, the exploit kit developers also provide an API which produces a fresh URL every hour, so that customers can set up an automated process for updating the traffic sources every hour or so to point to the new URL.

“This basically means that people behind this project have invested considerable amount of resources and reserved a big batch of domains to use over a period of time,” the researchers explain.

To deliver the malware, RedKit exploits two popular bugs: the Adobe Acrobat and Reader LibTIFF vulnerability (CVE-2010-0188) and the Java AtomicReferenceArray vulnerability (CVE-2012-0507), lately used by the criminals behind the massive Flashback infection.