Explore the latest news and trends  

Sign up for our weekly security newsletter

Be the first to receive important updates on security


Fileless Ransomware Distributed Through Malvertising Campaigns

Security researchers of security firm Invincea have been watching a malvertising scam in which threat actors exploited Flash Player exploits and fileless infection to distribute ransomware.

The campaign nicknamed "Fessleak" based on the email id which was employed to register the domains involved in the operation seems to have been done by Russian cybercriminals.

In the first stage of the attack, the scammers register a purported "burner" domain whose DNS will live upto 8 hours only. The domain is then directed to a hardened landing page which is malicious and ready to distribute ransomware and cyber thugs employ real-time ad bidding to endorse the burner domain and bring the users to this landing page.

Real-time bidding permits marketers to bid on the impression and if the bid is won, their advertisement is immediately displayed on the website of the publisher.

In Fessleak's case, the burner domain is deserted after eight hours and the process repeats. Invincea said that domains last only as long as it takes to revise the substitute blacklist and the complete process of attack can be scripted.

At first, the attackers used infections without file to deliver the malware.

They (referring to cybercriminals) managed to land their ads on hugely trafficked websites like DailyMotion, Huffington Post, CBS Sports, Plenty of Fish and dozens of others using a relatively few compromised domains.

Malvertising campaigns like Fessleak can be difficult to curtail.

Tomsguide.com published news on 6th February, 2015 quoting Invincea as "It is important to note that the sites from which the malvertising were delivered are more or less unaware that their sites were used for delivering malware and mostly not able to do anything about it."

Threatpost.com published news on 5th February, 2015 quoting Anup Ghosh, CEO and founder of Invincea as saying "one Windows patch has recently put an end to the file-less portion of the FessLeak campaign".

Ghosh added: Currently, Fessleak dumps a temp file through Flash and then calls icacls.exe, that is the file that sets consents on folders and files and presently there is no recognition for the maligned binary which perhaps rotates its hash value to evade AV detection.

ยป SPAMfighter News - 2/17/2015

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Dear Reader

We are happy to see you are reading our IT Security News.

We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!

Go back to previous page