Newly discovered Spelevo exploit kit found compromising B2B site to distribute IcedID and Dridex trojans

• Once installed, the exploit kit first attempts to exploit the CVE-2018-15982 vulnerability in Adobe Flash Player.
• In a situation where the first vulnerability is absent or patched, the exploit kit looks out for Internet Explorer with use-after-free (CVE-2018-8174) vulnerability.

Researchers have come across a cyberespionage campaign that is used to deliver a newly discovered exploit kit named Spelevo. The attackers have been found leveraging a compromised business-to-business site to distribute two banking trojans named IcedID and Dridex.

What’s the matter?

According to Cisco Talos researchers, the attackers behind the campaign have added four lines of malicious code into the webpage to infect all visitors that follow poor security hygiene.

The website initially appeared to just have a single page compromised, but as the investigation continued, researchers found that multiple pages were infected by the attackers. These infected pages redirected the vulnerable visitors to the infection gate hosted at ezylifebags[.]com[.]au and your-prizes-box[.]life.

Researchers speculate that the second domain may act as an extra tracker to ensure that the victim is connected to the compromised website via the exploit kit's traffic direct system (TDS). This indicates that the victim has fallen for the trap.

What happens next?

The Spelevo attack chain begins with a request for the landing page, where an initial reconnaissance activity is performed. The malicious code collects all system information including OS, web browser and applicable plugins.

“This starts with a request for the landing page. The landing page is typically where an initial vetting of the system occurs and some level of reconnaissance is done. This will include things like the operating systems being used, the type and version of web browser, and type and versions of applicable plugins, most notably Adobe Flash,” said the researchers in a blog post.

Once installed, the exploit kit first attempts to exploit the CVE-2018-15982 vulnerability in Adobe Flash Player. In a situation where the first vulnerability is absent or patched, the exploit kit looks out for Internet Explorer with use-after-free (CVE-2018-8174) vulnerability.

About the payloads

Talos researchers observed that the attackers were using Spelevo to deliver two banking trojans - IcedID and Dridex - during this campaign.

“These types of payloads are common to exploit kits since this is a purely financially motivated attack and banking trojans are an attractive avenue for monetization.” researchers noted.

Worth noting

Spelevo is a relatively new exploit kit discovered in March 2019. Since its discovery, the exploit kit has undergone some minor changes including modification of URL structure and some obfuscation changes.

The exploit kit appears to be leveraging domain shadowing technique to host its malicious activities.