Threat Research

Malvertising Campaign Taking Advantage of COVID-19 Targeting Internet Explorer Users to Steal their Information

Threat Intelligence Team, 16 April 2020

Fallout Exploit Kit used to distribute Kpot v2.0 to people using outdated versions of Internet Explorer

Cybercriminals are taking advantage of the COVID-19 crisis to profit from the unfortunate situation. We have recently discovered cybercriminals adjusting their malvertising campaigns to adapt their malicious ads, making them relevant to the COVID-19 crisis. The bad actors purchase ad space from an ad network to display malvertising, malicious advertisements, on websites. They are now using website names appearing to host information related to the coronavirus, and therefore giving ad network operators the impression they are non-malicious. This particular malvertising campaign hosts an exploit kit called Fallout, which attempts to exploit vulnerabilities in older versions of Internet Explorer, doing so without user action or awareness that anything is happening, in order to install Kpot v2.0, an information/password stealer. 

The Fallout exploit kit has been around since 2018 and has, for the most part, targeted Japanese and South Korean users. On March 26, 2020, the bad actors behind the campaign registered the domain covid19onlineinfo[.]com, and have since rotated the domains the exploit kit is hosted on, registering about six domains a day in an attempt to evade antivirus detections. 

Malvertising is typically hosted on streaming sites and usually automatically opens in a new tab when the user clicks on the play button to view a video. When a user with the Fallout EK visits a site hosting the malvertising and meets the criteria of using an outdated version of Internet Explorer, the exploit kit attempts to gain access to the user’s computer. It tries to exploit a vulnerability in Adobe Flash Player (CVE-2018-15982, fix released January 2019), which can lead to arbitrary code execution, and a remote execution vulnerability in the VBScript engine affecting multiple Windows versions (CVE-2018-8174, fix released May 2018). This can cause Internet Explorer to crash, which is the only red flag the user may notice.

The exploit kit previously infected computers with various password/information stealers and banking trojans. Now, the password/information stealer Kpot v2.0 is being distributed. It attempts to steal basic information, such as computer name, the Windows username, IP address, installed software on the device, machine GUID, and more, sending this information to a command and control server. 

Then the malware proceeds to steal passwords and other files. According to fellow researchers at Proofpoint who analyzed the Kpot malware, the following commands can be sent by the command and control server to the malware:

  • Steal cookies, passwords, and autofill data from Chrome
  • Steal cookies, passwords, and autofill data from Firefox
  • Steal cookies from Internet Explorer
  • Steal various cryptocurrency files
  • Steal Skype accounts
  • Steal Telegram accounts
  • Steal Discord accounts
  • Steal Battle.net accounts
  • Steal Internet Explorer passwords
  • Steal Steam accounts
  • Take a screenshot
  • Steal various FTP client accounts
  • Steal various Windows credentials
  • Steal various Jabber client accounts
  • Remove self

As of April 14, 2020, Avast prevented 178,814 attack attempts targeting 96,278 users globally. Below is a chart of the top countries targeted.

Country

Blocked attack attempts

Targeted numbers of users 

Canada

37,342

12,496

USA

30,001

13,930

Japan

17,306

8,438

Spain

15,484

9,609

Italy

10,494

6,648

Australia

6,222

2,780

Brazil

5,833

4,051

France

5,813

4,183

Turkey

3,900

2,568

Germany

3,331

2,452

How to protect yourself:

  • Users should have an antivirus software installed, which will act as a safety net, detecting and preventing malicious attacks like this one.
  • Always keep software, browsers, and operating systems up-to-date. Updates are important as they not only deliver new features, but can include security patches to fix vulnerabilities that could be abused.  
  • Disable Flash, unless you know you need it. Flash isn’t used much anymore by many websites, but cybercriminals continue to abuse Flash vulnerabilities 
  • Enable Avast’s new Password Protection feature, which can be found in the privacy section of Avast Premium. Avast Password Protection alerts you if a program is attempting to access passwords saved in either Chrome or Firefox.