Incident Response, Malware, TDR

Compromised forums redirect to Fiesta Exploit Kit, distribute malware possibly for click fraud

Researchers with Cyphort Labs observed a number of forum websites redirecting visitors to the Fiesta Exploit Kit, which in turn infected their computers with malware as part of what appears to be a click fraud operation.

Among the compromised forum websites were diychatroom[dot]com, excelforum[dot]com, dogforums[dot]com, ps3news[dot]com, wrestlingforum[dot]com, e-cigarette-forum[dot]com, and horseforum[dot]com, according to a Thursday post.

Although the post notes that redirects to the Fiesta Exploit Kit were observed on Monday and that the campaign was still ongoing as of Wednesday, the attack now appears to be slowing down.

Fengmin Gong, co-founder and CSO of Cyphort, told in an email correspondence that diychatroom[dot]com was no longer distributing malware as of Thursday morning, but that excelforum[dot]com and others are still infected.

Gong – who indicated that Cyphort is working to notify the affected websites – said that many of the forums are powered by either vBulletin or IP Board.

“vBulletin has one component called vBSEO which has been reported to have a serious vulnerability that allows remote injection of PHP code to the website,” Gong said. “We suspect that such vulnerability exploit was a likely vector for some of these forums. Although vBSEO has been discontinued, many sites unfortunately are not well updated and patched.”

Visiting any of the infected forums on a machine running Windows could result in the user being redirected to the Fiesta Exploit Kit, which was observed exploiting a vulnerability in Internet Explorer (CVE-2013-2551) and an Adobe Flash vulnerability (CVE-2015-0313).

“No user interaction needed – this is a fully automated, drive-by infection,” Gong said, going on to add, “There is “script src” tag planted on the infected forum site main page, redirecting to [the] malicious site” and that “the chain from the main site to the first redirect site was using a hidden iframe.”

The payload involves three pieces of malware.

The first, Gamarue, can update itself and download other malware, and it also disables certain security measures on the infected machine and avoids virtualization environments such as VirtualBox, QEMU and VMware, Gong explained.

FleerCivet is the primary malware used for click fraud, and it also checks for and avoids virtualization environments, Gong said. Finally, Ruperk is a backdoor that can be used to download additional malware, and attackers could be using it to mine for digital currencies.

“We believe at this time, one of the main missions of this campaign is click fraud, by the fact that it has a clear payload component (FleerCivet) that injects itself into IE, Chrome, and FireFox processes, doing multi-threaded browser sessions to visiting search URLs and hit stats URLs,” Gong said. “Also it avoids any virtualization environments, meaning [it] only wants to run from individual home (forum) users, which is likely a tactic to avoid click fraud detection.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.