Exploit kits that aren’t RIG

Believe it or not, there are alternatives to the RIG Exploit Kit. Here’s a rundown of a few of them.

Spelevo

Spelevo was discovered in Q1 of 2019. Spelevo exploits a flaw in Adobe Flash Player (No way!) in order to drop the GootKit Trojan. The kit utilizes the CVE-2018-15982 vulnerability, which was previously used in targeted attacks in which actors used malicious Microsoft Word documents that included an Adobe Flash file with the vulnerability. Spelevo exploits a RCE vulnerability in Adobe Flash Player for Windows, MacOS, Linux, and Chrome OS. It exploits the Use-After-Free flaw in the application.

Spelevo was also used to push PsiXBot, a sysinfo and credential stealer. A unique, interesting note about PsiXBot is that it will first check the language settings on the compromised machine and will exit if they are set to Russian.

Fallout Exploit Kit

This exploit kit again takes advantage of Adobe Flash Player and Windows, allowing the attacker to download additional malware onto the compromised machine. Fallout went into hiatus after the Kraken Cryptor campaign, but was detected again in January 2019 delivering GandCrab. With Kraken, Fallout utilized an exploit targeting CVE-2018-4878. Unlike with the Kraken Campaign, Fallout now utilizes Powershell instead of Internet Explorer in order to bypass and evade EPP on the infected system.

Fiesta Exploit Kit

Fiesta was quite active in Q1 2019, using a drive-by attack to compromise users. Fiesta overcomes heightened awareness and detection of phishing emails by compromising numerous web server in order to inject the malicious code into web pages. The kit can then victimize many browsers visiting the infected pages. Fiesta’s malicious code is likely only detectable to the admins for the websites and Security professionals.

-N. Coursey, August 30th, 2019

Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.