The Spelevo exploit kit was spotted by security researchers while infecting victims with Maze Ransomware payloads via a new malicious campaign that exploits a Flash Player. Maze Ransomware, a variant of Chacha Ransomware, was initially found by Malwarebytes security researcher Jérôme Segura in May.
The researcher found that the ransomware was being distributed using the Fallout exploit kit via a fake site camouflaged as a legitimate cryptocurrency exchange app. Segura told BleepingComputer that the attackers created a fake Abra cryptocurrency site to buy ad network traffic which was later used to redirect visitors to the exploit kit landing page under certain conditions.
Easily the most disturbing part about this story is malicious individuals and organizations setting up fake ‘front organizations’ to buy and direct ad buys to. None of the people, beyond the ultimate endpoint website creators, know the legitimate ad buy is being used to direct people into harm’s way. It would literally be like renting official law enforcement to help direct cars to a pyramid marketing scam being held at the local, trusted, city convention center. And these attacks are difficult to detect, although there are organizations and services which specialize in tracking rogue sites and ad buys, so it can be done. One of the biggest risk factors would be a brand-new website attached to a brand-new DNS entry which is tied to an anonymous person. You can certainly have legitimate websites and organizations which meet the same criteria, but if everything is brand-new (say within the last 24 hours), including that it’s a previously unknown person buying a brand-new, first-time ad buy from an organization they have never done business with before, then people should be skeptical.