Image

Inside the Exploit Kit Campaign
The exploit kit campaign begins when a user visits a legitimate website. A malicious ad periodically displays on that site. When it does, it automatically redirects the user to one of 11 compromised websites. These domains, which employ the ".news" top-level domain (TLD) and which have low detection rates on Virus Total, are all victims of pseudo-Darkleech. Pseudo-Darkleech is a malware campaign that injects malicious code into core WordPress files and redirects users to a landing page for an exploit kit or a malware-downloader. These baddies then do their dirty work. Once they're finished, they install other malicious software, like Cerber ransomware and CrypMIC ransomware, onto victims' computers. In this campaign, pseudo-Darkleech redirects users to a landing page for RIG-E, the Empire Pack version of RIG that helped distribute CryptoLuck ransomware in November 2016. RIG-E then scans the computer for a total of eight vulnerabilities affecting Adobe Flash Player and Microsoft Silverlight, Internet Explorer, and Edge. All but one of those security flaws has a CVSS score of 7.5 and up.Image

"In a web-browsing scenario, an attacker who successfully exploited this vulnerability could obtain the same permissions as the currently logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."That vulnerability is bad enough on its own but if RIG-E detects it on a user's machine, it'll exploit it and download Cerber, the "ransomware that speaks," which has gone through at least five versions since researchers first discovered it in the spring of 2016. As of this writing, Cerber's author rakes in nearly one million dollars a year from the ransomware's affiliate scheme alone. That doesn't include any of the attack campaigns they launch on their own time.