Spelevo Exploit Kit
The Spelevo Exploit Kit is a program that the cybercriminals use to gain access to remote computers via corrupted advertisements (malvertising), spam emails with embedded scripts, fake "browser font packages" and misleading Adobe Flash Updates. The Spelevo Exploit Kit is designed to identify vulnerable computers by searching for enabled macro functionality. The hackers employ the Spelevo Exploit Kit and trigger a software vulnerability in the VBScript engine on Windows that is dubbed by security researchers as CVE-2018-15982. The code listed before refers to what is described as a Windows VBScript Engine Remote Code Execution Vulnerability. The threat actors can leverage how the VBScript engine handles objects in the system memory to add arbitrary code and drop a payload from a remote server. As you may expect, the Spelevo Exploit Kit is used to plant various Trojans on vulnerable hosts. A recent observation on the activity related to the Spelevo Exploit Kit shows that it is being used to deploy the Backdoor.Win32.Gootkit.K cyber threat, commonly known as the Gootkit Backdoor. The Gootkit Backdoor Trojan enables unauthorized access to infiltrated devices, which opens the way for data exfiltration, DDoS attacks, setting up network proxies and crypto-jacking operations.
Computer security researchers have identified the following addresses to be used with the Spelevo Exploit Kit recently:
abnormal.searchbooks[.]xyz
bajan.flashticketswf[.]xyz
blooper.flashticketswf[.]xyz
capra.searchbooks[.]xyz
extrait.flashticketswf[.]xyz
fetish.flashticketswf[.]xyz
lin.microticket[.]xyz
rascal.microticket[.]xyz
sofia.flashticketswf[.]xyz
thirdimageupload[.]xyz
The list above is not complete, and the threat actors may use the Spelevo Exploit Kit to exchange data via IP addresses such as 185.56.233[.]186, 194.113.107[.]71, 85.17.197[.]101. You should make sure to run the latest version of Adobe Flash Player, which can be updated from the URL: https://get.adobe.com/flashplayer. It is best to remove the resources related to the Spelevo Exploit Kit using a respected cybersecurity utility.
