2019 has been a busy year for exploit kits, despite the fact that they haven't been considered a potent threat vector for years, especially on the consumer side. This time, we discovered the Spelevo exploit kit with its virtual pants down, attempting to capitalize on the popularity of adult websites to compromise more devices.

The current Chromium-dominated browser market share favors social engineering attacks and other threats that do not require the use of exploits in order to infect users. However, we continue to see malvertising campaigns pushing drive-by downloads in our telemetry. The malicious adverts are placed on tier 2 adult websites that still drive a lot of traffic.

Recently, we captured an unusual change with the Spelevo exploit kit where, after an attempt to trigger vulnerabilities in Internet Explorer and Flash Player, users were immediately redirected to a decoy adult site.

Figure 1: Exploit kit used in tandem with social engineering

Spelevo EK instructs the browser to load this site, which social engineers victims into installing a video codec in order to play a movie. This appears to be an effort from the Spelevo EK operator to double his chances of compromising new machines.

Spelevo EK changes its redirection URL

Based on our telemetry, there are a few campaigns run by threat actors converting traffic to adult sites into malware loads. In one campaign, we saw a malvertising attack on a site that draws close to 50 million visitors a month.

Figure 2: Traffic view from EK to soc. engineering site

We collected two main payloads coming directly from Spelevo EK:

  • Ursnif/Gozi
  • Qbot/Qakbot

One thing that Spelevo EK did which was a little bit different from other exploit kits is redirect victims to google.com post exploitation, typically after a 10-second delay:

Figure 3: Google redirect with 10 second delay

However, in this latest capture, we noticed that the script had been edited and that the time was increased to 60 seconds:

Figure 4: Google redirect with 60 second delay

This change is important because it allows enough time for the exploit kit to run all the way and call the last URL part of the EK framework. Here, we noticed something new as well.

Previously, the URL immediately following the payload had the following ending pattern: &00000111&11. Now, the new pattern is 32 characters followed by the letter 'n'.

Figure 5: Redirection from EK to decoy adult site

Before the refresh tag comes into effect, the browser is redirected to a new location, which happens to be a decoy adult site.

Social engineering as backup

There is nothing special about this fake adult site, but it works really well in the context of the malvertising chain. Victims were already engaged with the content and may not even realize that an exploitation attempt just happened.

Figure 6: Fake adult site tricking users with fake video codec

This time around, the site urges users to download a file called lookatmyplayer_codec.exe. Downloading video codecs to view media used to be fairly common back in the day, but isn't really the case anymore. Yet, this kind of trick still works quite well and is an alternative method to compromise users.

The fake codec turns out to be Qbot/Qakbot, which is also one of the payloads distributed by Spelevo EK. In other words, the threat actor has two chances to infect victims: either via the exploit kit or fake codec.

This is not the first time that exploit kit operators have included social engineering schemes. In 2017, Magnitude EK was seen pushing a fake Windows Defender notification, while Disdain EK was tricking users with a fake Flash Player update.

Malwarebytes users are protected against both the exploit kit and payloads.

Indicators of compromise (IOCs)





Decoy adult site