Visitors to torrent website SubTorrents[dot]com are being redirected to a “different looking” Fiesta Exploit Kit and served malware, Jerome Segura, senior security researcher with Malwarebytes, wrote in a Monday blog post.
The reason for the malicious redirects is that the SubTorrents website has been compromised and is serving a hidden iFrame, Segura wrote. Simply navigating to any page on the website will trigger the malicious code embedded directly on the site itself, he told SCMagazine.com in a Tuesday email correspondence.
Segura could only speculate how the website was compromised.
“It may be that attackers leveraged a vulnerability in the site itself or credentials [were] stolen from one of the administrators,” Segura said, explaining that he believes the website is still compromised and has been for about a week. He added that the website administrators have been notified, but Malwarebytes has not heard back.
Upon triggering the malicious code, visitors are ultimately redirected to the Fiesta Exploit Kit, which Segura noted has a new format. He said that most exploit kits can be recognized by patterns in their URLs – which are strings used as parameters to allow for the proper exploitation process – and that Fiesta Exploit Kit has very distinctive URLs that stand out when compared to other exploit kits.
“Traditionally, Fiesta was using semicolons with numbers at the end of each of its URLs,” Segura said. “It then introduced new special characters, but also got rid of the semicolons and used commas instead. That change will throw off some security scanners that rely on URL patterns and could also be an issue due to the nature of the comma, the most popular character separator (i.e. CSV [comma-separated values]).”
Fiesta Exploit Kit will use vulnerabilities in Silverlight, Java, Internet Explorer and Flash to serve visitors Kovter, which is being used for advertising fraud, Segura said, noting that the malware is aware of virtual machines and will only install on genuine computers.