At least four ongoing malvertising campaigns have been redirecting users to exploit kits’ (EK) landing sites that install password stealing trojans, ransomware and clipboard hijackers. The Grandsoft EK is redirecting users to compromised websites that push the Ramnit banking trojan. Ramnit is a password stealing trojan that attempts to steal victims saved login credentials, online banking credentials, FTP accounts and browser history. Meanwhile, the RIG EK is leveraging on a popcash malvertising campaign to install the Amadey trojan that adds a victim's computer to a botnet, steals information from the computer, and downloads and executes other malware. RIG also installs clipboard hijackers, which monitor the Windows clipboard for cryptocurrency addresses and substitute any that they find for addresses under their control. This is used to steal the payments that users think they are sending to legitimate wallet addresses. Similarly, the Fallout EK is also distributing a clipboard hijacker and targets users vulnerable to CVE-2018-8174 (Microsoft Internet Explorer VBScript Engine) and CVE-2018-15982 (Flash Player). Finally, the Radio EK is spreading the Nemty ransomware using spoof websites designed to look like major brands like PayPal. Radio EK targets the CVE-2016-0189 vulnerability in JScript and VBScript for Internet Explorer that Microsoft patched in 2016. Users are advised to keep their operating systems, browsers and software updated to avoid being a victim of the ongoing EK campaigns.
References:Exploit Kits Target Windows Users with Ransomware and Trojans
More Weekly Cyber Newsanalysis and insights
Enhancing your security posture, developing your cyber strategy, and designing your incident response plans.
Ensign Systems Integration
Architecting and implementing cybersecurity solutions that bolster defences
Ensign Managed Security Services
Managing your security operations for advanced threat detection, continuous monitoring, and triage services