A malicious advertising campaign is making use of a recently unpatched "zero-day" flaw in Adobe Flash to redirect visitors to malware downloads, according to the security vendor Cyphort.
Visitors to affected websites are attacked by the exploit kit Angler, which drops Bedep malware on their machine capable of downloading further viruses and sending fraudulent traffic to advert networks.
Nick Bilogorskiy, director of security research at Cyphort, said: "Adobe confirmed a zero-day vulnerability today ( CVE-2015-0310), and released a new patched version of Flash – version 16.0.0.287.
"However, based on our analysis, the patched version is still vulnerable to the exploit in this malvertising campaign."
He added that the malware appeared to be sending visitors to the affiliate ad network Affiture, though it was not clear if the website was genuine. The network’s abuse team has been contacted by Cyphort, but has yet to respond.
Bedep was also found to be making use of a domain generating algorithm (DGA) to connect to the command and control (C&C) server, an advanced means of evading detection by antivirus software.
"If you access the infected websites from a browser that is not vulnerable to the exploits, they will redirect you through a different chain, to a scam site, asking you to call a toll-free 855 number to fix a ‘virus problem’," Bilogorskiy added.
20 infected domains have already been discovered by the company. It advises users to disable Flash or use a script blocker to minimise the risk of infection.