Delaware, USA – July 1, 2019 – Appeared a few months ago Spelevo exploit kit was seen spreading banking Trojans via a compromised business-to-business contact website. The first mention of this exploit kit appeared in early March, and since then its creators have slightly tuned URL structure and obfuscation to cause less suspicion. Researchers from Cisco Talos analyzed the compromised website, from which users were redirected to a malicious ‘gate’, and found a tiny malicious script on many pages, including the main homepage. To separate target users from security researchers, adversaries determine from which page the victim is redirected to the exploit kit landing page. The landing collects information about the victim’s operating system and browser, the Adobe Flash version and the installed plugins. If it finds an outdated version of Flash, a user is redirected to the exploit for CVE-2018-15982, if the user has an unpatched system with vulnerable VBScript engine, he will be redirected to an exploit for CVE-2018-8174. Both exploits have long been included in the arsenal of many EKs and, in this case, are used to deliver Dridex and IcedID banking trojans. Spelevo’s innovations include redirecting the user to a Google page after a successful compromise.
Despite the fact that EKs exploit patched vulnerabilities, they are in no hurry to leave the threat landscape. Trend Micro researchers found a return after refining of the Greenflash Sundown exploit kit, which infects users worldwide with Monero mining malware. Researchers began to register the increase in the number of infections in mid-June; the main exploit used by Greenflash Sundown is also CVE-2018-15982. In the past, this exploit kit was used to distributed ransomware.
You can detect typical Dridex process patterns with free Sigma rule developed by Florian Roth available in Threat Detection Marketplace: https://tdm.socprime.com/tdm/info/2069/