Exploit Kit Starts Pushing Malware Via Fake Adult Sites

Spelevo exploit kit's operators have recently added a new infection vector as part of their attacks, attempting to social engineer potential targets into downloading and executing addition malware payloads from decoy adult sites.

This exploit kit was initially spotted by security researcher Kafeine back in early March 2019 and it has been used as a delivery platform for the infamous IceD and Dridex banking trojans as Cisco Talos found in June, and to drop Maze Ransomware payloads as researcher nao_sec discovered.

While normally exploit kits will only redirect victims to a landing page using a traffic direct system (TDS) and hit them with an exploit designed to abuse vulnerable apps on their computer, this time the attackers behind Spelevo EK decided to include a new social engineering tactic as a backup infection vector.

"Recently, we captured an unusual change with the Spelevo exploit kit where, after an attempt to trigger vulnerabilities in Internet Explorer and Flash Player, users were immediately redirected to a decoy adult site," Malwarebytes security researcher Jérôme Segura said.

After failing to exploit any of the Internet Explorer and Flash Player it targets to infect the victims' devices with the Ursnif (aka Gozi) banking Trojan, Spelevo EK will automatically redirect the targets to a decoy adult site where they will be asked to download and install a video code to play the videos.

By adopting this new social engineering tactic, the attackers will still have a chance to drop additional malware payloads, Qbot banking Trojans in this case, even when the exploit kit fails to lead to successful infection.

"Based on our telemetry, there are a few campaigns run by threat actors converting traffic to adult sites into malware loads," Segura adds. "In one campaign, we saw a malvertising attack on a site that draws close to 50 million visitors a month."

Before these recent campaigns, Spelevo EK would also redirect victims post-exploitation but, instead of decoy adult sites, it would deliver the victims to google.com after a 10-second delay.

Once they land on the fake adult website, the targets will be asked to download the fake video code which once downloaded and executed will launch a Qbot banking Trojan instance as already mentioned.

"Downloading video codecs to view media used to be fairly common back in the day, but isn’t really the case anymore," Segura explains. "Yet, this kind of trick still works quite well and is an alternative method to compromise users."

This new tactic adopted by Spelevo EK's operators increases the number of infection vectors used in their campaigns hence making them more effective in the long run.

Other exploit kits have also turned to social engineering to improve their "hit rate" in the past, with Magnitude EK and Disdain EK adopting this additional attack tactic in 2017 via fake Windows Defender and Flash Player alerts.

Fallout EK also switched to social engineering in 2018, displaying fake antivirus and Flash Player prompts that would attempt to infect targets from the government, telecom, and healthcare sectors that had fully patched machines.