Maze Ransomware Exploiting Exploit Kits

Cybercrime has never been one to hem in tactics with ideology or rules. Rather, malware operators are known to use what works and then modify code to continue to work. By “work,” we mean that the code does what it is supposed to; for information stealers, the work done will be different from the work done by those deploying banking trojans. For ransomware, the work is how easily a machine can be infected and how readily it can encrypt data. The Maze has modified how it infects machines to better complete the cyberattacker’s aims.

Recent Maze distribution campaigns have been seen using exploit kits, which seem to be trendy once more. Once access is gained, the attacker can then execute code and install other pieces of malware, be they ransomware or banking trojans. Maze’s use of exploit kits is not a new tactic; in the past, it has used the Fallout exploit kit. While exploit kits themselves are not new, their use with ransomware is relatively new. Typically, ransomware would be spread via spam email campaigns involving social engineering to trick the user into downloading the malicious program. By using an exploit kit, another attack vector is opened and often users aren’t prepared to defend against it. Exploit kits are seen as a collection of known software vulnerabilities that an all-in-one tool looks to exploit and enable access to the machine to further download other strains of malware. Often, the delivery method for the malware is a drive-by download that the user normally doesn’t detect and can do little to prevent.

When security researcher Jérôme Segura discovered Maze was leveraging Fallout, he determined that the exploit kit was being distributed via a fake cryptocurrency exchange app. At the time of the discovery, in May 2019, it was further found that the attackers created a fake Abra website and then paid for advertising to redirect the user to a landing page that hosted the exploit kit. What was interesting about the campaign was that once Fallout managed to gain remote access and the ransomware was dropped, the ransomware would detect what type of computer was infected. This information was then used to determine the ransom amount demanded for data decryption.

Spelevo Exploit Kit

By the middle of October, researchers nao_sec and GrujaRS discovered Maze was again being distributed via another exploit kit—this time, it was using the Spelevo exploit kit. Spelevo was discovered in June and used many of the old tactics that made exploit kits such a threat. The kit is designed to redirect internet traffic to a landing page controlled by the attackers, which checks to the system of the user who is on the page to see if any of the vulnerabilities the kit targets are available to be exploited. From there, the exploit kit will drop other forms of malware.

When it was discovered, Spelevo was targeting known vulnerabilities found in Internet Explorer and Flash. Those vulnerabilities are CVE-2018-8174 for Internet Explorer and both CVE-2018-15982 and CVE-2018-4878 in Flash, as noted by researchers. Spelevo, like Maze/Fallout, was being dropped via fake websites. This time the website used a fake business-to-business (B2B) page and once a vulnerable computer was found the exploit kit would drop the infamous banking trojan Dridex.

Spelevo—and exploit kits in general—have one Achilles heel: their dependency on Internet Explorer. The now unpopular browser once dominated the browser landscape. Its decline in popularity led to a decline in exploit kit popularity. That said, Internet Explorer still amounts to 5% of the global browser market, according to some sources, still a significant number of machines. As the browser is typically seen as outdated, vulnerability patches are few and far between and attackers hope that updates are not done at all by users still using the software. The same goes for Flash.

The use of exploit kits currently seems to be more of a targeted approach. Given that modern browsers have security measures in place to prevent such attacks from being successful, hackers are going after Internet Explorer users to better guarantee an infection. What made exploit kits so dangerous in the past still makes them a threat today. The threat posed is mainly the drive-by download feature, which doesn’t need any user interaction such as clicking a link. The malware is downloaded as soon as the user lands on the compromised site and a targeted vulnerability is found. They are a threat and need to be taken seriously.

Spelevo and Maze

In this instance, Spelevo again was seen exploiting the vulnerabilities mentioned above. But rather than dropping Dridex, it was dropping Maze. Once Maze is installed, it scans for targeted file extensions—often documents, databases or images—and, once detected, begins encrypting them. Maze is based on the previous ChaCha ransomware and uses its algorithms for encryption along with RSA encryption methods, namely RSA-2048. Following encryption, the ransomware creates a ransom note under the file name DECRYPT-FILES.txt, which instructs the victim how to pay for decryption. Maze comes complete with a support site to further help victims pay; the site even boasts an online chat service. This should by no means be interpreted as kindness on the side of the attacker but rather clever tactics to help facilitate ransom payment.

Screenshot of files encrypted by Maze ransomware (ransom extension):

maze ransomware encrypted files

Screenshot of a ransom demanding message (DECRYPT-FILES.txt) shown by this ransomware:

maze ransomware - ransom demanding message

As mentioned above, Maze is based on ChaCha, which was distributed mainly via free software bundles that were compromised to include the ransomware or through spam email campaigns. ChaCha adopted the more traditional distribution path that relied on user interaction. Maze opted for exploit kits that made use of drive-by downloads. The question of which is better can only be answered by the operators behind the attacks. Both come with advantages and disadvantages and time will tell which is favored. Given Internet Explorer’s continued decline, the traditional methods may be favored by more hackers.

Given that Maze has used two exploit kits to help with infection, the tactic will see continued use in the near future. If the tactic works there is no need to change until it no longer works. Spelevo has seen very few modifications since its discovery, except the secondary payload has changed from banking trojan to ransomware. This is by no means novel; hackers will often look to use whatever can make them money. Recent research reveals an increase in exploit kit use in 2019 so far, which means users can expect not only trojans and ransomware to appear on their system but other types of malware.

Defending Against Spelevo and Maze

It is important to remember that both Spelevo and Maze attacks can be prevented. Users are advised to steer clear of legacy software packages such as Internet Explorer and Flash, as Spelevo only targets vulnerabilities found in those packages. In 2017,  when they hit their peak in popularity, browsers were incapable of preventing the kits from initiating drive-by downloads in many cases. Now Edge, Chrome and Firefox all have security measures in place that prevent exploit kits from automatically downloading harmful files. Users are strongly advised to use one of these browsers instead of Internet Explorer. Simply by changing the browser used, the user has removed the threat of falling victim to Spelevo.

In defending against Maze, there are a number of things users can do, many of which protect against not only ransomware but also a wide variety of different malware families. For most ransomware and other malware families, users are advised not to click on links received via emails. This is the primary method many ransomware operators are dependent on for infecting devices. Further, users are encouraged to perform proper backups regularly, thus mitigating data loss in the event of an infection.

Users also should install all current Windows security patches and ensure all other software is up to date. This effectively prevents exploit kits from taking advantage of now-patched vulnerabilities.

As some ransomware families are spread by abusing remote desktop services, users should make sure that machines running remote desktop services are not directly connected to the internet or place them behind VPNs. Having a reputable anti-virus package is also recommended. The majority of malware infections are preventable by adopting good security practices.

Tomas Meskauskas

Avatar photo

Tomas Meskauskas

Tomas Meskauskas - Internet security expert, editor of pcrisk.com website, co-founder of Mac anti-malware application Combo Cleaner.

tomas-meskauskas has 22 posts and counting.See all posts by tomas-meskauskas