Exploit kits (EK) are a very popular with attackers to compromise a target system. The ease of use and its success rate compared to other infection vectors are among the reasons attackers are attracted to using these kits.
In recent years, exploit kits were used to deliver ransomware, the most famous of which was the BlackHole EK and CryptoLocker tandem in 2013. Given the success of this particular tandem, attackers are looking at other exploit kits to deliver their prized, money-making ransomware, or any malware that achieves their attack directive. Fiesta Exploit Kit is one such kit, gaining popularity after the decline of the BlackHole EK due to its source code being leaked and its founder arrested.
Let's look at how the Fiesta Exploit Kit works, beginning with the attack flow (figure 1).
Figure 1: Fiesta EK Attack Flow
The attack works by compromising a website, chosen based on how (in)secure it is. Some attackers simply scan for a vulnerable website to use as its main attack launch point.
Once the website is compromised, visitors are redirected to the Fiesta EK landing page via an IP address gate controlled by the threat actors. From here, different exploits are downloaded based on the target machine's characteristics. If successful, malware is downloaded, thus compromising the target system.
Let's look at an actual Fiesta Exploit Kit attack.
Stage 0 - Compromising a website
The attack begins by compromising a website. Currently, there are nearly a billion websites with most having lax security baked in. This gives attackers a target rich environment to compromise. For example, whenever a web application vulnerability is discovered, attackers immediately go to work to creating an exploit to take advantage of these vulnerabilities. Once the exploits are created the attackers scan the Internet for vulnerable websites.
Depending on the attack - targeted or opportunistic - attackers can choose which websites to compromise based on their visitors. If it is a targeted attack, they might choose only those vulnerable websites their targets are prone to visit. If it is an opportunistic attack, they may compromise all vulnerable websites they discover through scanning.
Regardless of the attack type, the purpose of the compromise is to redirect the visitor to a desired location controlled by the attackers. For Fiesta EK, the compromised website redirects to a Gate and, ultimately, to the Fiesta EK landing page.
Stage 1 - Users visit a compromised website
In this example, the compromised website is vi***ey.com. The attack begins when the unsuspecting user visits this compromised website. We can see from this packet capture (figure 2) that the visitor is being redirected to a Gate with an IP address of 220.127.116.11, which resolves to varadank.org.
Figure 2: Packet Capture of Fiesta EK infection
Stage 2: Gate Redirection
Figure 3: HTTP Stream
Stage 3: The Fiesta EK Landing Page
Figure 4: Fiesta EK Landing page
This obfuscated code profiles the target system and downloads the exploits expected to subvert the target.
Stage 4: Download Exploits
In this particular case, the downloaded exploits were:
Each attack campaign using Fiesta EK as the deployment technology may also employ other exploits based on the attacker's capability to acquire them, and on the target systems.
Stage 5: Download and Install Malware
After successful exploitation, malware is downloaded onto the target system in the form of an encrypted data file. Once decrypted, the PE (portable executable) file is executed and the malware is then installed in the system.
Take note, that Fiesta EK is a deployment technology that can be used to drop any type of malware.
Stay tuned as we look into the different malware being delivered by Fiesta EK in upcoming blogs.
Author: Christopher Elisan
Category: Research and Innovation, Blog Post
Keywords: Compromised Websites, Downloads, Exploit Kit, Fiesta, Fiesta Exploit Kit, Malware, Packet Capture, RSA FirstWatch