Fessleak malvertising campaign used to serve ransomware

Pierluigi Paganini February 06, 2015

Invincea has been monitoring the Fessleak campaign in which hackers leveraged Adobe Flash Player exploits and file-less infections to serve ransomware.

Security experts from Invincea are investigating on a new Ransomware campaign originated in Russia that presented many interesting characteristics. The researchers discovered that the attacks started by using file-less infections then moved to the exploitation of zero-day vulnerabilities in Adobe’s Flash Player.

The threat actors identified the ransomware as Kovter, attackers are spreading it from an advertising network that managed ad groups on a number of popular websites.

“Ransomware malvertising can strike at any time, and it typically is dropped from clickbait articles on popular websites or simply by visiting popular sites like DailyMotion.com.”states a blog post published by Invincea. “You will see in the logs that there is no dropped file, however, you will see that the malware is extracted from system memory using the local System32 file, extrac32.exe,”

Initially, the Kovter ransomware was being delivered through an exploit kit, but the researcher has also detected an instance of the malware that is served via a real-time ad-bidding network, which delivers the malicious code without using a single file.

The researchers discovered a Russian criminal crew that is delivering the Kovter ransomware by extracting its code directly from system memory.

The bad news is that the criminals exploited the attention around the time news of the Charlie Hedbo tragedy.

“Next is an example of the new file-less flash malvertising dropped  by Russian criminals via a real time ad bidding network.  This malvertising doesn’t seem to have a specific name, so Invincea has dubbed this “Fessleak” after the registrant of all of the malicious domains used in the malware delivery.  In this instance, a clickbait article on the HuffingtonPost about the terrorist attack on Charlie Hedbo dropped  advanced ransomware.  You will see in the logs that there is no dropped file, however, you will see that the malware is extracted from system memory using the local System32 file, extrac32.exe.  Once this extraction is complete, the malware detects the Invincea container and the malware quits its functions. ” continue the post.

fessleak malvertising ransomware

Among the websites impacted by the malvertising campaign, there are also illustrious names like the Huffington Post, as well as Russia Today (RT.com) and CBSSports.com.malvertising campaign, there are also illustrious names like the Huffington Post, as well as Russia Today (RT.com) and CBSSports.com.

After Microsoft patched the privilege escalation flaw (CVE-2015-0016) in Windows systems, the Russian hackers stopped using file-less infections and moved to zero-day exploits.

“Now Fessleak drops a temp file via flash and makes calls to icacls.exe, the file that sets permissions on folders and files. At this time, there is no detection for the malicious binary, which likely rotates its hash value to avoid AV detection,” Invincea said

The researchers noticed that cyber criminals exploited three different zero-day vulnerabilities, including the recent CVE-2015-0311. The threat actors are exploiting the CVE-2015-0311 and CVE-2015-0313 flaws to deliver ransomware and malware.

“While Invincea has been tracking this threat actor for months, other notable security professionals have noticed that Fessleak is using advanced Adobe 0-Day exploits to continue to deliver his malware.  Kafeine from malware.dontneedcoffee.com notes that Fessleak has now been seen using the very latest Zero-Day Adobe exploit CVE-2015-0311.  His excellent write-up, which notes that the latest exploit installs a remote desktop and AdFraud bot is here. TrendMicro also notes that Fessleak, and specifically, one of his “burner” domains, retilio.com was seen to use the same zero-day in this blog post here.”

The experts explained that Fessleak malversting campaign, which is spreading the Fessleak ransomware, is composed of the following steps:

  • Criminals register a burner domain that has a DNS setting of 8 hours.
  • The domain is pointed to the page hosting the exploit used to serve the malware, the access to this page is limited to visitors with the correct referral.
  • Bidding on ads that will trigger the redirection from the legitimate site to the burner domain.
  • Victims redirected to the page which serves the ransomware.
  • After eight hours, the burner domain is abandoned by attackers that use a new one with the same process.

fessleak infographic-PSD-2-5-15_v2

“It is important to note that the sites from which the malvertising were delivered are by and large unaware that their sites were used for delivering malware, and largely unable to do anything about it,” confirmed Invincea.

Initially, the attackers included code to exploit the CVE-2015-0311 and CVE-2015-0313 vulnerabilities in the Angler exploit kit, but now the CVE-2015-0313 is included also in another exploit kits like the Hanjuan, while the CVE-2015-0311 was added in Fiesta, Nuclear Pack and RIG exploit kits.

According to Invincea, since December 2014, the following domains have been used to spread Ransomware:

  • Liucianne.com
    HuffingtonPost.com
    Photobucket.com
    DNSrsearch.com
    RT.com
    Answers.com
    CBSSports.com
    HowtoGeek.com
    Fark.com
    Inquisitr.com
    Viewmixed.com
    Thesaurus.com
    Dictionary.reference.com
    TecheBlog.com
    Cleveland.com
    NJ.com
    JPost.com
    Earthlink.net
    MotherJones.com
    PJMedia.com
    News.com.au
    Realtor.com
    Cinemablend.com
    PopularMechanics.com
    Mapquest.com
    TheBlaze.com
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  malvertising, Pictures, Russian hackers)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment