Threat Management, Malware

Malvertising scam leverages domain names that sound like legit COVID-19 sites

A recently discovered malvertising campaign is hosting the Fallout exploit kit on attacker-controlled websites featuring domain names that falsely imply they provide useful information about the novel coronavirus.

The ultimate goal is to infect victims with KPOT v2.0, an information and password stealer, according to a new blog post from the Avast Threat Intelligence team, whose researchers uncovered the operation.

The campaign has been running since at least March 26, when malicious actors registered the domain covid19onlineinfo[.]com, in a bid to trick ad networks into allowing the attackers to buy digital advertising space. Since then, the adversaries have been registered roughly six new domains per day, switching between then in an ongoing attempt to evade antivirus protections, the blog post report states.

The malvertisements typically appear on streaming websites. When visitors click a button to play a video, the malvertisements launch new tab that opens up to the domain that's hosting Fallout. The exploit kit next attempts to abuse vulnerabilities that affect outdated versions of Internet Explorer, in order to install KPOT without the victim's knowledge.

"It tries to exploit a vulnerability in Adobe Flash Player (CVE-2018-15982, fix released January 2019), which can lead to arbitrary code execution, and a remote execution vulnerability in the VBScript engine affecting multiple Windows versions (CVE-2018-8174, fix released May 2018). This can cause Internet Explorer to crash, which is the only red flag the user may notice," the Avast report states.

KPOT can steal and exfiltrate information -- including computer names, Windows usernames, IP addresses, installed software and machine GUIDs -- as well as accounts cookies, account various passwords and autofill data.

To reduce the risk of falling victim to this threat, Avast recommends that users install antivirus software; keep operating systems, software and browsers updated and disable Flash when possible, among other actions.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.