Covid-19 Related Malvertising Targets Outdated Versions of Internet Explorer

Cybercriminals are taking advantage of the COVID-19 crisis to profit from the unfortunate situation. The Avast Threat Intelligence Team has recently discovered cybercriminals adjusting malvertising campaigns to adapt their malicious ads, making them relevant to the COVID-19 crisis. The bad actors purchase ad space from an ad network to display malvertising – malicious advertisements – on a particular website.

They are now using website names which appear to host genuine information related to the coronavirus, and therefore give ad network operators the impression they are non-malicious. This particular malvertising campaign hosts an exploit kit called Fallout, which attempts to exploit vulnerabilities in older versions of Internet Explorer, doing so without user action or awareness that anything is happening. The exploit installs Kpot v2.0, an information/password stealer.

The Fallout exploit kit has been around since 2018. In Australia so far, it has targeted 2780 customers monitored by Avast , and 6222 attacks have been blocked. On March 26, 2020, the bad actors behind the campaign registered the domain covid19onlineinfo[.]com, and have since rotated the domains the exploit kit is hosted on, registering about six domains a day in an attempt to evade antivirus detections.

Malvertising is typically hosted on streaming sites and usually automatically opens in a new tab when the user clicks on the play button to view a video. When a user with the Fallout EK visits a site hosting the malvertising and meets the criteria of using an outdated version of Internet Explorer, the exploit kit attempts to gain access to the user’s computer. It tries to exploit a vulnerability in Adobe Flash Player (CVE-2018-15982, fix released January 2019), which can lead to arbitrary code execution, and a remote execution vulnerability in the VBScript engine affecting multiple Windows versions (CVE-2018-8174, fix released May 2018). This can cause Internet Explorer to crash, which is the only red flag the user may notice.

The exploit kit previously infected computers with various password/information stealers and banking trojans. Now, the password/information stealer Kpot v2.0 is being distributed. It attempts to steal basic information, such as computer name, the Windows username, IP address, installed software on the device, machine GUID, and more, sending this information to a command and control server.

Then the malware proceeds to steal passwords and other files. According to fellow researchers at Proofpoint who analyzed the Kpot malware, the following commands can be sent by the command and control server to the malware:

  • Steal cookies, passwords, and autofill data from Chrome
  • Steal cookies, passwords, and autofill data from Firefox
  • Steal cookies from Internet Explorer
  • Steal various cryptocurrency files
  • Steal Skype accounts
  • Steal Telegram accounts
  • Steal Discord accounts
  • Steal accounts
  • Steal Internet Explorer passwords
  • Steal Steam accounts
  • Take a screenshot
  • Steal various FTP client accounts
  • Steal various Windows credentials
  • Steal various Jabber client accounts
  • Remove self

As of April 14, 2020, Avast claims to have prevented 178,814 attack attempts targeting 96,278 users globally.