Sometimes we see things in the malware world that make it seem that the universe has a sense of humor, even if the malware actors do not. A recent example of this serendipity occurred when we detected an email with a link to a web site featuring a recipe for a delicious “Tex-Mex Frito salad.” Sandboxing of the URL revealed that it linked to an infected web page which redirected to a link serving… the Fiesta exploit kit.
While almost certainly a coincidence, it does lead to wondering where such coincidences could lead a phishing campaigner with a sense of humor. Maybe infect a Fiesta™ dinnerware enthusiast page?
On a more serious note, Fiesta (aka Neosploit) is a great example of the exploit kits that represent a vital part of the modern malware distribution infrastructure. An exploit kit combines different exploits targeting a range of vulnerabilities, all distributed from a server that profiles the victim’s system for operating system, browser and version, and plug-ins for vulnerable versions. If a vulnerability is found, the exploit kit will serve the appropriate exploit and then download a malicious payload on the victim computer. Exploit kits are developed by malware authors and then licensed per server or rented as SaaS to phishing campaigners and others.
The flexibility of exploit kits makes “Fiesta” a fitting name, since Fiesta dinnerware revolutionized dinnerware by enabling customers to mix and match colors, shapes and sizes to suit their tastes and décor. The Fiesta exploit kit itself combines exploits that target vulnerabilities for Adobe Reader, Adobe Flash, Microsoft Internet Explorer and Silverlight, Oracle Java, and the list changes as exploits for new vulnerabilities are discovered. One of the three most common exploit kits we see, Fiesta seems to be one of the beneficiaries of the void left by the arrest of the Black Hole author last fall.
Interestingly, Fiesta currently uses “no-ip” as a means of generating fresh unique hostnames to evade detection. No-ip was recently the target of a Microsoft takedown, which generated such an outcry that Microsoft stopped their takedown, and in the aftermath Fiesta returned to using no-ip.
Combined with effective delivery techniques such as web compromises or longline phishing campaigns, Fiesta and other exploit kits represent a potent threat to organizations, consumers and their sensitive data, and that’s no joke.
About Proofpoint
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.