A recently discovered malvertising campaign is hosting the Fallout exploit kit on attacker-controlled websites featuring domain names that falsely imply they provide useful information about the novel coronavirus.
The ultimate goal is to infect victims with KPOT v2.0, an information and password stealer, according to a new blog post from the Avast Threat Intelligence team, whose researchers uncovered the operation.
The campaign has been running since at least March 26, when malicious actors registered the domain covid19onlineinfo[.]com, in a bid to trick ad networks into allowing the attackers to buy digital advertising space. Since then, the adversaries have been registered roughly six new domains per day, switching between then in an ongoing attempt to evade antivirus protections, the blog post report states.
The malvertisements typically appear on streaming websites. When visitors click a button to play a video, the malvertisements launch new tab that opens up to the domain that’s hosting Fallout. The exploit kit next attempts to abuse vulnerabilities that affect outdated versions of Internet Explorer, in order to install KPOT without the victim’s knowledge.
“It tries to exploit a vulnerability in Adobe Flash Player (CVE-2018-15982, fix released January 2019), which can lead to arbitrary code execution, and a remote execution vulnerability in the VBScript engine affecting multiple Windows versions (CVE-2018-8174, fix released May 2018). This can cause Internet Explorer to crash, which is the only red flag the user may notice,” the Avast report states.
KPOT can steal and exfiltrate information — including computer names, Windows usernames, IP addresses, installed software and machine GUIDs — as well as accounts cookies, account various passwords and autofill data.
To reduce the risk of falling victim to this threat, Avast recommends that users install antivirus software; keep operating systems, software and browsers updated and disable Flash when possible, among other actions.