{"id":17234,"date":"2019-12-18T09:10:05","date_gmt":"2019-12-18T17:10:05","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/12\/18\/news-10970\/"},"modified":"2019-12-18T09:10:05","modified_gmt":"2019-12-18T17:10:05","slug":"news-10970","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/12\/18\/news-10970\/","title":{"rendered":"Spelevo exploit kit debuts new social engineering trick"},"content":{"rendered":"

Credit to Author: J\u00e9r\u00f4me Segura| Date: Wed, 18 Dec 2019 16:00:00 +0000<\/strong><\/p>\n

2019 has been a busy year for exploit kits, despite the fact that they haven’t been considered a potent threat vector for years, especially on the consumer side. This time, we discovered the Spelevo exploit kit with its virtual pants down, attempting to capitalize on the popularity of adult websites to compromise more devices.<\/p>\n

The current Chromium-dominated browser market share favors social engineering attacks and other threats that do not require the use of exploits in order to infect users. However, we continue to see malvertising campaigns pushing drive-by downloads in our telemetry. The malicious adverts are placed on tier 2 adult websites that still drive a lot of traffic.<\/p>\n

Recently, we captured an unusual change with the Spelevo exploit kit where, after an attempt to trigger vulnerabilities in Internet Explorer and Flash Player, users were immediately redirected to a decoy adult site.<\/p>\n

\n
\"\"<\/a>
Figure 1: Exploit kit used in tandem with social engineering<\/figcaption><\/figure>\n<\/div>\n

Spelevo EK instructs the browser to load this site, which social engineers victims into installing a video codec in order to play a movie. This appears to be an effort from the Spelevo EK operator to double his chances of compromising new machines.<\/p>\n

Spelevo EK changes its redirection URL<\/h3>\n

Based on our telemetry, there are a few campaigns run by threat actors converting traffic to adult sites into malware loads. In one campaign, we saw a malvertising attack on a site that draws close to 50 million visitors a month.<\/p>\n

\"\"<\/a>
Figure 2: Traffic view from EK to soc. engineering site<\/figcaption><\/figure>\n

We collected two main payloads coming directly from Spelevo EK:<\/p>\n