Hackers are using a zero-day vulnerability in Adobe Flash to infect systems with a dangerous BEDEP malware variant.
Trend Micro research engineer Alvin Bacani reported uncovering the campaign in a threat advisory, proving that hackers began targeting the zero-day less than a week after its discovery.
"Continuing our analysis of the recent Adobe zero-day exploit, we find that the infection chain does not end with the Flash exploit, detected as SWF_EXPLOIT.MJST. Rather, the exploit downloads and executes malware belonging to the BEDEP family," read the advisory.
Trend Micro reported uncovering the Flash flaw on 2 February, warning that attackers could target victims with malvertising attacks.
The flaw is originally believed to have been targeted by hackers using the Angler Exploit Kit to send malicious automatic pop-up adverts.
Bacani explained that BEDEP employs the same malvertising infection tactic, but uses the Hanjuan exploit kit to connect victim machines to a criminal botnet.
"Based on our analysis, the infection chain begins with a site that hosts malvertisements. As the name implies, these are infected online advertisements," read the advisory.
"Our recent findings also show that the malware's main purpose is to turn infected systems into botnets for other malicious intentions.
"Additionally, BEDEP is known for carrying out advertising fraud routines and downloading additional malware."
The full scale of the campaign remains unknown and the nature of the BEDEP malware makes tracking the attacks difficult.
"The fact that the payloads are encoded can be seen as one way of evading detection. An encoded payload will be difficult to identify when passing through the network layer, or when scanned in any layer in an encoded state," noted Bacani.
"BEDEP initially came undetected and unnoticed due to its heavy encryption and use of Microsoft file properties for its disguise as well as the use of seemingly legitimate export functions."
The flaw is one of three recently discovered Flash zero-day vulnerabilities. The first two were uncovered by Adobe in January and are known to have been actively targeted by hackers.
Members of the security community have taken the Flash zero-days as evidence that traditional security models are no longer up to the job.
British Airways blames 'global systems outage' for IT meltdown
Mark Zuckerberg mercilessly trolled by Harvard student newspaper after return to university he dropped out of 12 years ago
'Unauthorised user' blamed by Harvard for insulting Mark Zoinkerberg
Android under attack from 'Judy', Google Play Store malware that has infected up to 36.5 million users
Yet more Android malware discovered on the Google Play Store
Airport believes new system will be more reliable than GPS or Google Maps