Over a hundred forum websites have been compromised and injected with code that redirects users to sites hosting the Fiesta exploit kit, Cyphort researchers have found.
These are not highly popular forums, but gather a respectable number of users who like to discuss DIY projects, animals, wrestling, scuba diving, news regarding PS3, and so on. They are powered by either vBulletin or by IP Board online forum software, new vulnerabilities for which are often found and publicly disclosed.
The researchers have found 122 compromised forums in total.
After their visitors are redirected to a site hosting the exploit kit, it tries to exploit a two-year-old IE vulnerability (CVE-2013-2551) and a new Flash one (CVE-2015-0313).
If it succeeds, the users get saddled with several pieces of malware: a dropper whose goal is to download additional malware, the Gamarue information-stealing Trojan, the FleerCivet clickjacking Trojan, and the Ruperk backdoor.
The dropper, the clickjacking Trojan and the backdoor won’t execute in a virtual environment. The dropper checks for strings indicating that VirtualBox, Qemu, or VMware virtualization software is present on the machine.
Besides stealing information, Gamarue is also in charge of disabling some Windows security settings. FleerCivet’s main purpose is to open several hidden IE instance that access websites and simulate legitimate clicks on ads.
The Ruperk backdoor sends system information to its C&C server, and can receive instructions to update itself, delete itself, and download additional files.
“We believe that this malware pack is designed for click fraud campaign and for distribution using watering hole attacks. The armoring against all the virtualization environments is done to avoid detection by anti-click-fraud systems,” Cyphort’s Paul Kimayong explained.
“This malware campaign has targeted over a hundred forums which seem to be serving mostly individual home users,” he noted, adding that this type of clicks make the scam less noticeable.