FessLeak Malvertising Campaign

A new type of malware distribution method has been uncovered by security specialists. It is called FessLeak, and it refers to the so-called malvertising campaign that is utilized in order to infect multiple systems worldwide with ransomware. Although FessLeak itself is not an infection, this new system is significant enough to deserve a separate article for itself. What is more, with cyber criminals making use of such schemes, users clearly are forced to be careful even on the most popular and frequently visited websites.

Malvertising refers to malicious advertising, a technique employed in order to attain the goals of cyber criminals. FessLeak malvertising campaign gets its name from the email address “fessleak@qip.ru.” This email address is used to register multiple domains used by cyber attackers. Normally, when a malicious program enters target computer, it drops some files on the system. However, FessLeak allows the criminals to avoid that. What they do is employ an 8-hour cycle to deliver a malicious payload via this system and NO FILES are necessary.

FessLeak manages to avoid injecting actual files because it uses real-time ad bidding to win ad space on a new domain. Real-time bidding is a kind of system that allows advertisers bid on an impression and, in the case the bid is won, the particular ad appears on the publisher’s site immediately. This way, malicious ads that are part of the FessLeak campaign have been noticed to appear on RT.com, fark.com, huffingtonpost.com, dailymotion.com, photobucket.com, howtogeek.com, and other popular websites.

Clicking the malicious ads does not redirect users to the main landing page. You are pushed into a redirection network because cyber criminals create temporary burner domains that, consequently, redirect you to the actual page with the payload. Real-time bidding is carried out for those burner domains. As mentioned above, FessLeak system uses an 8-hour cycle, so once a burner domain is registered, it’ll be online for 8 hours only. When a burner domain is registered, it is linked to the actual landing page that contains the payload. All the while, the system carries out the real-time bidding to win ads for the newly registered domain.

The moment ad bids are won, the burner domain goes online and if a user clicks it, she is redirected to the landing page, and the infection takes place. At the same time, once the 8 hours have elapsed, the temporary burner domain is abandoned, and the cycle is repeated all over.

When users are infected with malware via the FessLeak campaign, the payload is extracted into the system memory directly through extrac32.exe. Computer security researchers suggest that this campaign is employed by cyber criminals in Russia, and, most of the time, the infection that gets installed on target computers using this exploit is Crypto ransomware.

It refers to a number of ransomware infections that exploit FessLeak and other distribution methods to infect multiple computers in order to generate financial profit for their creators. According to our research, the most wide-spread infection from the group is the CTB-Locker ransomware infection. This malicious program tends to encrypt .rar, .zip and .txt extension files on the affected computer, although it may not be limited to those extensions only. The second most "popular" infection in the group is CryptoLocker that focuses on .doc, .rar and .zip files. The third "place" goes to Cryptowall ransomware that mostly targets .txt and .doc files.

Since there ransowmare infections make use of FessLeak campaign to spread around, it is virtually impossible to delete them as the distribution method does not drop any infection files, only the actual payload. With that, users are left to deal with the infection consequences and no actual infection to delete. Hence, keeping in mind how dangerous ransomware infections are, and how persistent they are in pushing users into transferring the ransom fee, we have no other choice, but to encourage users exercise safe web browsing skills. Refrain from clicking on commercial ads whenever you see any because some of them might be part of the FessLeak campaign.