Exploit Kits Target Windows Users with Ransomware and Trojans

Posted by & filed under Security Alerts.

Over the weekend and into today, four different malvertising campaigns have been redirecting users to exploit kits that install password stealing Trojans, ransomware, and clipboard hijackers.

All four of these campaigns were discovered by exploit kit expert nao_sec and are being distributed through malvertising that redirect visitors to the exploit kits landing pages. These landing pages are typically hosted on hacked sites.

Once a user visits the site, the kit’s scripts will attempt to exploit vulnerabilities in the visitor’s browser to automatically download and install malware without the user’s knowledge.

GrandSoft exploit kit installs the Ramnit banking trojan

On Saturday, nao_sec saw the GrandSoft exploit kit pushing the Ramnit banking trojan.

Ramit is a password stealing trojan that attempts to steal victims saved login credentials, online banking credentials, FTP accounts, browser history, site injections, and more.

Rig exploit kit pushes Amadey and a clipboard hijacker

On Sunday, nao_sec continued to see exploit kit activity in the form of a popcash malvertising campaign redirecting users to the Rig exploit kit. This exploit kit targets the CVE-2018-15982 (Flash Player), CVE-2018-8174 (Microsoft Internet Explorer VBScript Engine ), and other vulnerabilities to infect visitors with malware.

Visitors running Internet Explorer who are redirected to the Rig landing page would then find their browsers crashing as the exploit kit installs malware.

When nao_sec saw this campaign it was installing clipboard hijackers, which monitor the Windows clipboard for cryptocurrency addresses and substitute any that they find for addresses under their control. This is used to steal the payments that users think they are sending to legitimate wallet addresses.

For BleepingComputer, the exploit kit installed the Amadey trojan, which adds a victim’s computer to a botnet, steals information from the computer, and downloads and executes other malware.

Fallout exploit kit pushes a clipboard hijacker

Earlier today, nao_sec discovered the Fallout exploit kit distributing a clipboard hijacker.

nao_sec told BleepingComputer that the Fallout exploit kit targets the CVE-2018-8174 (Microsoft Internet Explorer VBScript Engine ) and CVE-2018-15982 (Flash Player) vulnerabilities.

Radio exploit kit installs the Nemty Ransomware

Finally, nao_sec also saw today another malvertising campaign pushing the Radio exploit kit that is installing the Nemty Ransomware.

Nemty has been gaining traction over the past few weeks and has been spotted being distributed by the Rig exploit kit in the past and through sites that impersonate major brands like PayPal.

The researcher told us that the RadioEK is a “very poor tool” as it targets the CVE-2016-0189 vulnerability in JScript and VBScript for Internet Explorer that Microsoft patched in 2016.

Protecting yourself from exploit kits

In order for an exploit kit to work, they must find vulnerabilities to exploit in outdated software and operating systems.

Therefore, your best defense against an exploit kit is to always make sure you have the latest security updates installed for both your OS and any software you have installed.

When focusing on software updates, it is important to update any programs that interact with a web browser to add additional functionality such as Adobe Flash, PDF Readers, and similar programs.


The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.