Featured Post

Avira Antivirus Pro - Review 2020 - PCMag India

Avira Antivirus Pro - Review 2020 - PCMag IndiaAvira Antivirus Pro - Review 2020 - PCMag IndiaPosted: 11 Jun 2020 12:00 AM PDTEvery computer needs antivirus protection, and one way companies can support that aim is to provide free antivirus to the masses. But these companies can't survive unless some users shell out their hard-earned cash for paid antivirus utilities. Piling on pro-only tools and components is one way companies encourage upgrading to a paid antivirus. Avira Antivirus Pro adds several components not available to users of Avira Free Security, but they don't really add much value. The biggest reason to pay for it is if you want to use Avira in a commercial setting, which isn't allowed with the free version.Avira's pricing is undeniably on the high side, with a list price of $59.88 per year for one license, $71.88 for three, and $95.88 for five. Admittedly, it seems to be perpetually on sale; just now, the one-license price is discounted to $44.99. That…

Exploit Kit Starts Pushing Malware Via Fake Adult Sites - BleepingComputer

Exploit Kit Starts Pushing Malware Via Fake Adult Sites - BleepingComputer

Exploit Kit Starts Pushing Malware Via Fake Adult Sites - BleepingComputer

Posted: 19 Dec 2019 12:00 AM PST

Exploit Kit Starts Pushing Malware Via Fake Adult Sites

Spelevo exploit kit's operators have recently added a new infection vector as part of their attacks, attempting to social engineer potential targets into downloading and executing addition malware payloads from decoy adult sites.

This exploit kit was initially spotted by security researcher Kafeine back in early March 2019 and it has been used as a delivery platform for the infamous IceD and Dridex banking trojans as Cisco Talos found in June, and to drop Maze Ransomware payloads as researcher nao_sec discovered.

While normally exploit kits will only redirect victims to a landing page using a traffic direct system (TDS) and hit them with an exploit designed to abuse vulnerable apps on their computer, this time the attackers behind Spelevo EK decided to include a new social engineering tactic as a backup infection vector.

Spelevo infection chain
Spelevo infection chain (Malwarebytes)

"Recently, we captured an unusual change with the Spelevo exploit kit where, after an attempt to trigger vulnerabilities in Internet Explorer and Flash Player, users were immediately redirected to a decoy adult site," Malwarebytes security researcher Jérôme Segura said.

After failing to exploit any of the Internet Explorer and Flash Player it targets to infect the victims' devices with the Ursnif (aka Gozi) banking Trojan, Spelevo EK will automatically redirect the targets to a decoy adult site where they will be asked to download and install a video code to play the videos.

By adopting this new social engineering tactic, the attackers will still have a chance to drop additional malware payloads, Qbot banking Trojans in this case, even when the exploit kit fails to lead to successful infection.

"Based on our telemetry, there are a few campaigns run by threat actors converting traffic to adult sites into malware loads," Segura adds. "In one campaign, we saw a malvertising attack on a site that draws close to 50 million visitors a month."

Before these recent campaigns, Spelevo EK would also redirect victims post-exploitation but, instead of decoy adult sites, it would deliver the victims to google.com after a 10-second delay.

Spelevo redirecting to decoy site
Spelevo redirecting to decoy site (Malwarebytes)

Once they land on the fake adult website, the targets will be asked to download the fake video code which once downloaded and executed will launch a Qbot banking Trojan instance as already mentioned.

"Downloading video codecs to view media used to be fairly common back in the day, but isn't really the case anymore," Segura explains. "Yet, this kind of trick still works quite well and is an alternative method to compromise users."

This new tactic adopted by Spelevo EK's operators increases the number of infection vectors used in their campaigns hence making them more effective in the long run.

Decoy adult site pushing fake video codec
Decoy adult site pushing fake video codec (Malwarebytes)

Other exploit kits have also turned to social engineering to improve their "hit rate" in the past, with Magnitude EK and Disdain EK adopting this additional attack tactic in 2017 via fake Windows Defender and Flash Player alerts.

Fallout EK also switched to social engineering in 2018, displaying fake antivirus and Flash Player prompts that would attempt to infect targets from the government, telecom, and healthcare sectors that had fully patched machines.


Popular Posts

System detected an overrun of a stack-based buffer in this application [FIX] - Windows Report

Valorant anti-cheat lead answers many questions on Reddit - Millenium US