A new exploit kit Trustwave researchers spotted in the wild is aiming to enter a market – 16 – practically monopolized by the BlackHole and Phoenix exploit kits. This new kit has no official name, so the researchers dubbed it RedKit due to the red coloring scheme of its administration panel. RedKit’s creators decided to promote it by using banners, and potential buyers are required to share their Jabber username by inputting it into an online form hosted on a compromised site of a Christian church. Equipped with this piece of data, the developers contact the buyers and provide them with a demo account so they can examine the software.
The admin panel looks similar to other kits, and offers the usual tools: statistics for incoming traffic and the option to upload a payload executable and scan it with 37 different antivirus programs. As each malicious URL gets blocked by most security firms in the first 24 to 48 hours, the kit developers also provide an API that produces a fresh URL every hour, so customers can set up an automated process for updating traffic sources to point to the new URL. To deliver the malware, RedKit exploits two popular bugs: the Adobe Acrobat and Reader LibTIFF vulnerability (CVE-2010-0188) and the Java AtomicReferenceArray vulnerability (CVE-2012-0507), lately used by the criminals behind the massive Flashback infection.