Exploits kits have long been used to deliver threats to users, but they seem to have gone retro: it was recently being used to deliver fake antivirus malware.
We closely monitor exploit kit activity because of their widespread use (we discussed their use in malvertising recently), so it was no great surprise to see the Fiesta exploit kit being used to deliver crypto-ransomware. The choice of exploits delivered is broadly in line with other exploit kits. Flash, Internet Explorer, Adobe Reader/Acrobat, and Silverlight are all targeted. (It’s worth noting that as is the case in recent attacks, Java is no longer a favored infection vector).
Figure 1. Exploits used by Fiesta
What is interesting is that after March 19, we noticed a change in the malware payloads delivered to victims. Before that date, crypto-ransomware was being delivered to end users. Aside from encrypting the user’s files, this particular variant terminates some running processes (Process Explorer, Task Manager, the Command Prompt, Regedit, and Msconfig) so that it cannot be terminated by the user easily. (We detect this as TROJ_CRYPTESLA.CAG.)
Figure 2. Screenshot of crypto-ransomware
After March 19, Fiesta served up a threat best known from previous years: fake antivirus. Again, it disables some common system tools such as Task Manager, Process Explorer, and Internet Explorer, so that this fake antivirus cannot be easily shut down. It’s not clear why the attackers chose to return to this older kind of threat. (This is detected as TROJ_FAKEAV.YSXF.)
Figure 3. Screenshot of fake antivirus
Exploit kits are frequently used to spread various threats, so the use of Fiesta to spread both crypto-ransomware and the (seemingly) reborn fake antivirus should not be a great surprise. We decided to use this incident to check trends in exploit kit activity, particularly the levels and distribution of this specific usage of the Fiesta exploit kit in the month of March.
Figure 4. Global distribution of Fiesta Exploit Kit victims in March
In terms of distribution, three countries account for almost two-thirds of the traffic related to this attack: the United States, Japan, and Australia. The United States by itself accounts for more than a third of the traffic, making it the country most affected by this threat.
Figure 5. Number of machines affected by Fiesta per day
As for threat activity over time, the overall trend for activity of this exploit kit was gradually upwards. However, this growth was punctuated by several spikes in the month of March. However, the overall threat picture is indicative of a growing crypto-ransomware threat; as we noted earlier the first quarter of the year has seen many changes in this part of the threat landscape.
The first step to defend against these attacks is: keep software up to date. By removing the vulnerabilities that an exploit kit targets, users can prevent themselves from becoming the next victims of these attacks.
The Browser Exploit Prevention feature in our endpoint products such as Trend Micro™ Security, OfficeScan, and Worry-Free Business Security blocks exploits from running at the browser level. In addition, Trend Micro™ Security software safeguards against malware, phishing, and other Internet threats. Businesses are also protected with Endpoint Security in Trend Micro™ Smart Protection Suite as it offers multiple layers of protection.