The Fiesta exploit kit has apparently learned a new trick, and is dropping two pieces of malware on unsuspecting victims’ machines.
“A few days ago, we began noticing a strange new pattern with the Fiesta exploit kit. We were getting a double payload where before only one was delivered,” explained Malwarebytes researcher Jerome Segura, in a blog. “So we decided to check our archives and figure out exactly what happened during the last few days.”
Previously, the kit simply used various exploits followed by a single malware drop, whose parent process is Java. In the past two days however, two payloads have started dropping by the Java process. Essentially, Fiesta EK is delivering a double payload from a single URL call. Once downloaded, it is extracted and gives birth to two executables: the Spyware.Zbot.ED and the Trojan.Agent.ED.
“This trick is not exactly new,” Segura said. “We documented the Redkit exploit kit back in April 2013 doing a similar thing.”
In that instance, Redkit was found to be packaging Urausy, a particular type of ransomware that asks for a $300 payment to unlock the computer, and a Karagny Trojan Downloader, which calls the “mother infrastructure” for instructions and can deliver a variety of payloads (banking trojan, spambot, and so on).
“Exploit kit authors must really love Java,” Segura said. “Not only is it ripe with vulnerabilities but its own language provides a great platform to write and deliver malware in different ways. We are used to seeing encrypted payloads (XOR, AES encryption), applets containing both the exploit itself and the binary payload. Today we will talk about yet another combination which we nicknamed the ‘split’.”
He added that the approach is likely being driven by expediency.
“The malware author willingly chose to package the malicious jar with those two different payloads,” he said. “Of course this could have be done using separate exploit pages but why bother when you could do it all in one go. This approach also shows new possibilities to package malware in a way that could evade detection and bypass traffic signatures.”