Fiesta

Short bio

Fiesta is an exploit kit that checks the user’s browser and the versions of the plugins he is using. That is how it determines which exploits can be successfully served. This means that if you happen to come across a Fiesta landing page with multiple vulnerable products, this will lead to receiving exploits for all of them.

History

Fiesta was first dubbed in 2013 and is generally seen as an evolution of NeoSploit. It grabbed a bigger share of the market that was left open after the arrest of the author of the Blackhole Exploit Kit in October 2013. Despite being declared dead by some analysts in December 2014, it made a strong come-back a few months shortly after. In April 2015, it was reported to get redirects from a host of compromised forums.

Common infection method

No user action is necessary to get infected by these exploit kits. Typically they use known vulnerabilities to infect users that happen to visit a compromised site. The exploit kit then looks for vulnerable software on the visitor’s computer and uses that as a way to drop the malware payload.

Associated families

Fiesta EK has been known to push the Kovter (ad fraud) malware and the Zemot Trojan, but also Crypto-Ransomware, Trojan.Dorkbot, and Spyware.Zbot. Since exploit kits are just a method of infection, you can expect them to deliver anything.

Remediation

The exploit kit or the redirection to it needs to be removed from the compromised site and the site itself needs to be patched and secured so it can’t be compromised again.

Aftermath

The options you have to clean up the computer after being hit by an exploit kit vary with the kind of malware that got dropped by the exploit kit. This can range from ad-clickers to ransomware. In some cases, it may be necessary to reformat the computer and change all your passwords.

Avoidance

Site owners should keep their website software updated and visitors should use the latest versions of their browsers and its plugins. It also helps to keep the operating system updated. Doing so would only limit the risk, since they would still be vulnerable to zero-day exploits. There are software solutions available against zero-day exploits that will also stop known exploits.

Screenshots