Avast_Threat_ Research: Malvertising Campaign Taking Advantage of COVID-19 Targeting

[harlan4096]

Fallout Exploit Kit used to distribute Kpot v2.0 to people using outdated versions of Internet Explorer

Cybercriminals are taking advantage of the COVID-19 crisis to profit from the unfortunate situation. We have recently discovered cybercriminals adjusting their malvertising campaigns to adapt their malicious ads, making them relevant to the COVID-19 crisis. The bad actors purchase ad space from an ad network to display malvertising, malicious advertisements, on websites. They are now using website names appearing to host information related to the coronavirus, and therefore giving ad network operators the impression they are non-malicious. This particular malvertising campaign hosts an exploit kit called Fallout, which attempts to exploit vulnerabilities in older versions of Internet Explorer, doing so without user action or awareness that anything is happening, in order to install Kpot v2.0, an information/password stealer.

The Fallout exploit kit has been around since 2018 and has, for the most part, targeted Japanese and South Korean users. On March 26, 2020, the bad actors behind the campaign registered the domain covid19onlineinfo[.]com, and have since rotated the domains the exploit kit is hosted on, registering about six domains a day in an attempt to evade antivirus detections.

Malvertising is typically hosted on streaming sites and usually automatically opens in a new tab when the user clicks on the play button to view a video. When a user with the Fallout EK visits a site hosting the malvertising and meets the criteria of using an outdated version of Internet Explorer, the exploit kit attempts to gain access to the user’s computer. It tries to exploit a vulnerability in Adobe Flash Player (CVE-2018-15982, fix released January 2019), which can lead to arbitrary code execution, and a remote execution vulnerability in the VBScript engine affecting multiple Windows versions (CVE-2018-8174, fix released May 2018). This can cause Internet Explorer to crash, which is the only red flag the user may notice.

The exploit kit previously infected computers with various password/information stealers and banking trojans. Now, the password/information stealer Kpot v2.0 is being distributed. It attempts to steal basic information, such as computer name, the Windows username, IP address, installed software on the device, machine GUID, and more, sending this information to a command and control server.

• Steal cookies, passwords, and autofill data from Chrome
  
• Steal cookies, passwords, and autofill data from Firefox
  
• Steal cookies from Internet Explorer
  
• Steal various cryptocurrency files
  
• Steal Skype accounts
  
• Steal Telegram accounts
  
• Steal Discord accounts
  
• Steal Battle.net accounts
  
• Steal Internet Explorer passwords
  
• Steal Steam accounts
  
• Take a screenshot
  
• Steal various FTP client accounts
  
• Steal various Windows credentials
  
• Steal various Jabber client accounts
  
• Remove self
  

As of April 14, 2020, Avast prevented 178,814 attack attempts targeting 96,278 users globally. Below is a chart of the top countries targeted.

...

Continue Reading