Rewterz Threat Advisory – CVE-2020-1250 – Win32k Information Disclosure Vulnerability
September 10, 2020Rewterz Threat Alert – TeamTNT Gains Full Remote Takeover of Cloud Instances
September 10, 2020Rewterz Threat Advisory – CVE-2020-1250 – Win32k Information Disclosure Vulnerability
September 10, 2020Rewterz Threat Alert – TeamTNT Gains Full Remote Takeover of Cloud Instances
September 10, 2020Severity
Medium
Analysis Summary
After a long while, Malvertising campaigns are back with their exploit kits. A fallout exploit kit campaign is discovered distributing the Raccoon Stealer via high-traffic adult sites. After being reported, the same threat actor came back again using the RIG exploit kit instead.Then the largest campaign was launched recently on top site xhamster[.]com from a malvertiser who managed to abuse practically all adult ad networks. The campaigns are targeting users running Internet Explorer without any particular geolocation restriction, although the majority of victims were in the US. In this campaign, the crooks abused the popular ad network ExoClick by using different redirection pages. Simple server-side cloaking performs the redirect to a Fallout exploit kit landing page which attempts to exploit CVE-2019-0752 (Internet Explorer) and CVE-2018-15982 (Flash Player) before dropping the Raccoon Stealer. Another domain websolvent[.]me also became active but used a different redirection technique, a 302 redirect, also known as 302 cushioning. This time we see the RIG exploit kit which also delivers Raccoon Stealer.
The second malvertiser (‘malsmoke’) is another one whose end payload is often the Smoke Loader malware. The gates used by this group also use a decoy site and over time they have registered domains mocking ad networks and cloud providers. The redirection mechanism is more sophisticated than those used in other malvertising campaigns. There is some client-side fingerprinting and connectivity checks to avoid VPNs and proxies, only targeting legitimate IP addresses. Interestingly, this Smoke Loader instance also downloads Raccoon Stealer and ZLoader.
Impact
- Credential Theft
- Theft of Sensitive Information
Indicators of Compromise
Domain Name
- bumblizz[.]com
- surdised[.]com
- einlegesohle[.]com
- encelava[.]com
- krostaur[.]com
- uneaskie[.]com
- adexhangetomatto[.]space
- canadaversaliska[.]info
- 2831ujedkdajsdj[.]info
- dkajsdjiqwdwnfj[.]info
- 928eijdksasnfss[.]info
- leiomity[.]com
- chinadevmonster[.]top
- websolvent[.]me
- intica-deco[.]com
MD5
- 91879bdd73625ac38c31fe5225310e92
- 28e1ea946d629fdb8736f84deb39533a
SHA-256
- 23bef893e3af7cb49dc5ae0a14452ed781f841db7397dc3ebb689291fd701b6b
- b289155154642ba8e9b032490a20c4a2c09b925e5b85dda11fc85d377baa6a6c
SHA1
- a007b979483ee6b57b93a11340932a60f5781570
- 2317821cb4531bd8c82ad27758dc91b396e74716
Source IP
- 34[.]105[.]147[.]92
URL
- http[:]//surdised[.]com/coexo[.]php
- http[:]//bumblizz[.]com/auflexexo[.]php
- http[:]//krostaur[.]com/jpflexo[.]php
- http[:]//einlegesohle[.]com/indexx[.]php
- http[:]//krostaur[.]com/jpexo[.]php
- http[:]//leiomity[.]com/usflexexo[.]php
- http[:]//bumblizz[.]com/auexo[.]php
- http[:]//surdised[.]com/usexo[.]php
- http[:]//chinadevmonster[.]top/gate/log[.]php
- http[:]//krostaur[.]com/jpflexexo[.]php
- http[:]//leiomity[.]com/usexo[.]php
- http[:]//bumblizz[.]com/usexo[.]php
- http[:]//bumblizz[.]com/usflexexo[.]php
- http[:]//leiomity[.]com/ukflexexo[.]php
- http[:]//bumblizz[.]com/caflexexo[.]php
- http[:]//leiomity[.]com/ukexo[.]php
- http[:]//34[.]105[.]147[.]92/gate/log[.]php
- http[:]//bumblizz[.]com/caexo[.]php
Remediation
- Block the threat indicators at their respective controls.
- Keep all products patched against all known vulnerabilities.
- If you’re using Internet Explorer, migrate to a modern and fully supported browser.