Fessleak malvertising campaign used to serve ransomware

Invincea has been monitoring the Fessleak campaign in which hackers leveraged Adobe Flash Player exploits and file-less infections to serve ransomware.

Security experts from Invincea are investigating on a new Ransomware campaign originated in Russia that presented many interesting characteristics. The researchers discovered that the attacks started by using file-less infections then moved to the exploitation of zero-day vulnerabilities in Adobe’s Flash Player.

The threat actors identified the ransomware as Kovter, attackers are spreading it from an advertising network that managed ad groups on a number of popular websites.

“Ransomware malvertising can strike at any time, and it typically is dropped from clickbait articles on popular websites or simply by visiting popular sites like DailyMotion.com.”states a blog post published by Invincea. “You will see in the logs that there is no dropped file, however, you will see that the malware is extracted from system memory using the local System32 file, extrac32.exe,”

Initially, the Kovter ransomware was being delivered through an exploit kit, but the researcher has also detected an instance of the malware that is served via a real-time ad-bidding network, which delivers the malicious code without using a single file.

The researchers discovered a Russian criminal crew that is delivering the Kovter ransomware by extracting its code directly from system memory.

The bad news is that the criminals exploited the attention around the time news of the Charlie Hedbo tragedy.

“Next is an example of the new file-less flash malvertising dropped  by Russian criminals via a real time ad bidding network.  This malvertising doesn’t seem to have a specific name, so Invincea has dubbed this “Fessleak” after the registrant of all of the malicious domains used in the malware delivery.  In this instance, a clickbait article on the HuffingtonPost about the terrorist attack on Charlie Hedbo dropped  advanced ransomware.  You will see in the logs that there is no dropped file, however, you will see that the malware is extracted from system memory using the local System32 file, extrac32.exe.  Once this extraction is complete, the malware detects the Invincea container and the malware quits its functions. ” continue the post.

Among the websites impacted by the malvertising campaign, there are also illustrious names like the Huffington Post, as well as Russia Today (RT.com) and CBSSports.com.malvertising campaign, there are also illustrious names like the Huffington Post, as well as Russia Today (RT.com) and CBSSports.com.

After Microsoft patched the privilege escalation flaw (CVE-2015-0016) in Windows systems, the Russian hackers stopped using file-less infections and moved to zero-day exploits.

“Now Fessleak drops a temp file via flash and makes calls to icacls.exe, the file that sets permissions on folders and files. At this time, there is no detection for the malicious binary, which likely rotates its hash value to avoid AV detection,” Invincea said

The researchers noticed that cyber criminals exploited three different zero-day vulnerabilities, including the recent CVE-2015-0311. The threat actors are exploiting the CVE-2015-0311 and CVE-2015-0313 flaws to deliver ransomware and malware.

“While Invincea has been tracking this threat actor for months, other notable security professionals have noticed that Fessleak is using advanced Adobe 0-Day exploits to continue to deliver his malware.  Kafeine from malware.dontneedcoffee.com notes that Fessleak has now been seen using the very latest Zero-Day Adobe exploit CVE-2015-0311.  His excellent write-up, which notes that the latest exploit installs a remote desktop and AdFraud bot is here. TrendMicro also notes that Fessleak, and specifically, one of his “burner” domains, retilio.com was seen to use the same zero-day in this blog post here.”

The experts explained that Fessleak malversting campaign, which is spreading the Fessleak ransomware, is composed of the following steps:

• Criminals register a burner domain that has a DNS setting of 8 hours.
• The domain is pointed to the page hosting the exploit used to serve the malware, the access to this page is limited to visitors with the correct referral.
• Bidding on ads that will trigger the redirection from the legitimate site to the burner domain.
• Victims redirected to the page which serves the ransomware.
• After eight hours, the burner domain is abandoned by attackers that use a new one with the same process.

“It is important to note that the sites from which the malvertising were delivered are by and large unaware that their sites were used for delivering malware, and largely unable to do anything about it,” confirmed Invincea.

Initially, the attackers included code to exploit the CVE-2015-0311 and CVE-2015-0313 vulnerabilities in the Angler exploit kit, but now the CVE-2015-0313 is included also in another exploit kits like the Hanjuan, while the CVE-2015-0311 was added in Fiesta, Nuclear Pack and RIG exploit kits.

According to Invincea, since December 2014, the following domains have been used to spread Ransomware:

• Liucianne.com
  HuffingtonPost.com
  Photobucket.com
  DNSrsearch.com
  RT.com
  Answers.com
  CBSSports.com
  HowtoGeek.com
  Fark.com
  Inquisitr.com
  Viewmixed.com
  Thesaurus.com
  Dictionary.reference.com
  TecheBlog.com
  Cleveland.com
  NJ.com
  JPost.com
  Earthlink.net
  MotherJones.com
  PJMedia.com
  News.com.au
  Realtor.com
  Cinemablend.com
  PopularMechanics.com
  Mapquest.com
  TheBlaze.com

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  malvertising, Pictures, Russian hackers)

[adrotate banner=”5″]

[adrotate banner=”13″]