- Spelevo is back in the spotlight again, supporting adult website malvertising campaigns.
- The current campaigns try to drop the Qbot and Ursnif payloads onto the victim’s machines.
- People are advised to be careful, use web protection tools, and never download executables.
As reported by Malwarebytes researchers, there’s a new campaign based on the “Spelevo” exploit kit, and which bets on the popularity of adult websites to spread malware. More specifically, Spelevo enables malicious actors to set up malvertising campaigns of 2nd tier pornography platforms, redirecting visitors to phishing platforms and malware dropping domains. The current campaigns are using the Ursnif and Qbot payloads. Ursnif is a powerful banking Trojan that can still login credentials that the victims enter on the compromised device.
Source: Malwarebytes Blog
The actors are using decoy websites that look like the original counterparts, drawing in millions of visitors. The redirection through Spelevo is based on the use of known exploits in the browser and its Flash version. Porn is one of the most sought after categories online, so even tier 2 websites are popular enough to generate high levels of traffic. Of course, the payload still needs to be dropped, so the visitors are urged to approve the downloading of an executable. In this case, it carries the name “lookatmyplayer_codec.exe”, which is supposedly needed for the playback of the video.
Source: Malwarebytes Blog
All that said, there’s a number of preventive measures that you can take in order to stay safe when consuming content online. First, the decoy adult site is “lookatmyvideo[.]com”, so if you are a fan of this platform you should be very careful. Secondly, you shouldn’t approve the downloading of executable files from these sources, as there isn’t a good reason to download a video player. Finally, always use an up to date web protection and AV solution from a reputable vendor, which would identify the redirection and would warn you about the potential risk of downloading the malware file.
Kits like Spelevo remain popular among malvertising actors because they automate the process of exploitation and redirection. Spelevo has been around for quite a while already, and it keeps adding CVE exploits so as to remain useful as we move forward in time. The recent combination with adult websites is not just about the large volumes of traffic involved, but also about bringing a certain level of eagerness in the mix. People who are entering a state of sexual arousal become less attentive to the signs of danger and more willing to download payloads.