RedKit Private Exploit Tool Emerges in the Wild

Friday, May 04, 2012



Researchers at security provider Trustwave have identified a new exploit toolkit in the wild which is being made available as a for-a-fee service being promoted with a standard banner ad.

The researchers have dubbed the tool "RedKit" for it's prominent red bordering used in the application's GUI panel. Interested parties can sign up for a demo of the tool using their Jabber account.

"Logging to the admin panel presents you with options which are typically used by other exploit kits. The panel allows you to check the statistics for incoming traffic, upload a payload executable and even scan this payload with no less than 37(!) different AV’s," Trustwave reports.

(click image to enlarge)


One obstacle cyber criminals who employ a tool such as RedKit run into is that the duration of their operation is usually cut short as their malicious URL becomes widely recognized by commercial antivirus software, thus blocking new infections.

"Luckily, the authors of RedKit have solved this issue by providing an API which will produce a fresh  URL every hour. How convenient! Any customer of this exploit kit can now set up an automated process for updating the traffic sources every hour or so to point to the new URL," Trustwave noted.

The complexity of the toolkit's feature leads the researchers to believe that the developers have committed serious time and energy into RedKit's design.

"This basically means that people behind this project have invested considerable amount of resources and reserved a big batch of domains to use over a period of time. Just like in any other business, one has to put some money in order to generate more money and the profit is proportional to the initial investment," they explained.

Trustwave researchers also believe that the toolkit will expand its available exploits beyond the initial two identified as being included in this first release.

"The RedKit is armed with two of the most popular exploits but the authors probably will add more exploits soon in order to catch up with the “industry leaders” such as BlackHole and Phoenix exploit kits. The first exploit is a fairly obfuscated PDF file that exploits the LibTIFF vulnerability (CVE-2010-0188)."

The second is the "latest Java exploit, dealing with the AtomicReferenceArray vulnerability (CVE-2012-0507)."

For a detailed explanation of RedKit's current functionality, refer to the Trustwave analysis here:


Possibly Related Articles:
Viruses & Malware
Java malware Vulnerabilities Headlines PDF toolkit Trustwave exploit Obfuscation Malware-as-a-Service RedKit
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.