Over the weekend and into today, four different malvertising campaigns have been redirecting users to exploit kits that install password stealing Trojans, ransomware, and clipboard hijackers.
All four of these campaigns were discovered by exploit kit expert nao_sec and are being distributed through malvertising that redirect visitors to the exploit kits landing pages. These landing pages are typically hosted on hacked sites.
Once a user visits the site, the kit’s scripts will attempt to exploit vulnerabilities in the visitor’s browser to automatically download and install malware without the user’s knowledge.
GrandSoft exploit kit installs the Ramnit banking trojan
Ramit is a password stealing trojan that attempts to steal victims saved login credentials, online banking credentials, FTP accounts, browser history, site injections, and more.
Rig exploit kit pushes Amadey and a clipboard hijacker
On Sunday, nao_sec continued to see exploit kit activity in the form of a popcash malvertising campaign redirecting users to the Rig exploit kit. This exploit kit targets the CVE-2018-15982 (Flash Player), CVE-2018-8174 (Microsoft Internet Explorer VBScript Engine ), and other vulnerabilities to infect visitors with malware.
Visitors running Internet Explorer who are redirected to the Rig landing page would then find their browsers crashing as the exploit kit installs malware.
When nao_sec saw this campaign it was installing clipboard hijackers, which monitor the Windows clipboard for cryptocurrency addresses and substitute any that they find for addresses under their control. This is used to steal the payments that users think they are sending to legitimate wallet addresses.
For BleepingComputer, the exploit kit installed the Amadey trojan, which adds a victim’s computer to a botnet, steals information from the computer, and downloads and executes other malware.
Fallout exploit kit pushes a clipboard hijacker
nao_sec told BleepingComputer that the Fallout exploit kit targets the CVE-2018-8174 (Microsoft Internet Explorer VBScript Engine ) and CVE-2018-15982 (Flash Player) vulnerabilities.
Radio exploit kit installs the Nemty Ransomware
The researcher told us that the RadioEK is a “very poor tool” as it targets the CVE-2016-0189 vulnerability in JScript and VBScript for Internet Explorer that Microsoft patched in 2016.
Protecting yourself from exploit kits
In order for an exploit kit to work, they must find vulnerabilities to exploit in outdated software and operating systems.
Therefore, your best defense against an exploit kit is to always make sure you have the latest security updates installed for both your OS and any software you have installed.
When focusing on software updates, it is important to update any programs that interact with a web browser to add additional functionality such as Adobe Flash, PDF Readers, and similar programs.