Fiesta exploit kits wakes from siesta

Reports of hacker toolkit's death proven greatly exaggerated

Fiesta CC.20 attribution by

Brad Duncan says attackers are again slinging the Fiesta, this time using a complicated series of loops that researchers will find difficult to trace.

The Rackspace malware boffin says the kit, once one of the more popular on underground markets, is hitting victims through gates that push traffic from hacked sites to the malicious domain.

Duncan called the group the 'BizCN gate actor' because single IP gate domains are registered through Chinese registrar bizcn.

"Researchers may have a hard time generating infection traffic from compromised websites associated with this actor," Duncan says in a SANS post.

"Most often, HTTP GET requests to the gate domain return a 404 Not Found. In some cases, the gate domain might not appear in traffic at all. Other times, the HTTP GET request for the Fiesta EK landing page doesn't return anything.

"It's tough to get a full infection chain when you're trying to do it on purpose."

Duncan says the attacker would normally rarely change the IP addresses for the gate domains, each of which is matched to a unique compromised website but will be likely forced to since he published a list of some of the 100 domains he found so far.

But Duncan suggest that the attacker could be caught if they did not now change their tactics, techniques, and procedures.

The malware used in the attacks affected Windows boxes maintaining persistence in the AppData folder/local directory.

Fiesta was chalked up as dead last December by independent malware analysts.

It enjoyed some popularity with the decline of the infamous Black Hole exploit kit which fell to ruin after its source code was leaked and founder Dmitry Fedotov arrested. ®

Sponsored: From CDO to CEO


Biting the hand that feeds IT © 1998–2019