Sophos acquires machine learning visionary Invincea.

Fessleak: The Zero-Day Driven Advanced RansomWare Malvertising Campaign

Feb 4, 2015

Ransomware malvertising can strike at any time, and it typically is dropped from clickbait articles on popular websites or simply by visiting popular sites like  You can be checking out someone’s “Granny opening a new iPhone video” when you are suddenly confronted with a full screen announcing all your files and photos have been one-way encrypted and to get them back you have to pay a bitcoin ransom to a criminal organization.  There may be no worse feeling in the digital age than having all your personal files, family albums, and work encrypted and held for a ransom.

Although ransomware has been in the news since CryptoLocker (CriLock) made its debut, we continue to see new innovations in ransomware.  More advanced versions now use file-less infections and communicate via the Tor network. They can also check to ensure the host is not running on a virtual machine to frustrate security researchers and analysis.

Ironically, it is this virtual machine check that sends the advanced Ransomware Malvertising running when it detects the Invincea Virtual Container on an endpoint.  Cisco has an excellent blog post here that discusses the Virtual Machine detection in CryptoWall 2.0.

We take a look at two examples of Ransomware- Kovter, which does not check for virtualization, and Russian File-less ransomware, likely run from the Hanjuan exploit kit, which does check for virtualization, and fails to execute when it detects Invincea.

Kovter Example

A recent malvertising infection from Kovter on New Year’s Eve, dropped by (see below), produced the following:



As you can see above, multiple advertising redirects ultimately sent the endpoint to several Polish websites that hosted an exploit kit to drop Kovter under the name ‘fixutil.exe’.  The fixutil.exe shows up here on VirusTotal and many AV vendors agree on the Kovter designation.


FessLeak Malvertising

Next is an example of the new file-less flash malvertising dropped  by Russian criminals via a real time ad bidding network.  This malvertising doesn’t seem to have a specific name, so Invincea has dubbed this “Fessleak” after the registrant of all of the malicious domains used in the malware delivery.  In this instance, a clickbait article on the HuffingtonPost about the terrorist attack on Charlie Hedbo dropped  advanced ransomware.  You will see in the logs that there is no dropped file, however, you will see that the malware is extracted from system memory using the local System32 file, extrac32.exe.  Once this extraction is complete, the malware detects the Invincea container and the malware quits its functions.




We can look at Whois and owner of to determine that this is the Fessleak variant of this malvertising.  First, you will see that this domain was registered and employed on the same date as the malware delivery:


Next, you will see that the owner information, likely forged, Michael Zont, with an email address of is a free email platform, similar to Hotmail.


Dozens of other observed domains registered to Fessleak have engaged in the delivery of this advanced ransomware.  A Google search for the email address returns dozens of malicious domains, most of which are only ever used for a few hours before the name resolution is pulled.

In summary, Invincea protected endpoints are immune to the Fessleak and other malvertising attacks, not just because they can detect our container running, but because any process that attempts to break from a browser to the local system is automatically blocked.  File-less attacks, buffer overflow exploits, zero-day Flash exploits, weaponized documents and more are all defeated by Invincea FreeSpace.

Use of Adobe Zero Day Exploits

In what appears to be a response to a recent Microsoft Patch, the Fessleak threat actor has stopped using file-less Flash to deliver his ransomware.  Now Fessleak drops a temp file via flash and makes calls to icacls.exe, the file that sets permissions on folders and files.  At this time, there is no detection for the malicious binary, which likely rotates its hash value to avoid AV detection.  See the screenshot below of dropping malvertising infections.


While Invincea has been tracking this threat actor for months, other notable security professionals have noticed that Fessleak is using advanced Adobe 0-Day exploits to continue to deliver his malware.  Kafeine from notes that Fessleak has now been seen using the very latest Zero-Day Adobe exploit CVE-2015-0311.  His excellent write-up, which notes that the latest exploit installs a remote desktop and AdFraud bot is here.

TrendMicro also notes that Fessleak, and specifically, one of his “burner” domains, was seen to use the same zero-day in this blog post here.

Below shows that Invincea has been tracking this threat actor for months.

Date Domain Malvertised on:
Oct 17, 2014
Oct 22, 2014
Oct 29, 2014
Nov 2-11, 2014*
Nov 12-14, 2014
Nov 19, 2014
Nov 21-24, 2014
Dec 10-11, 2014
Dec 12, 2014
Dec 21, 2014
Dec 25-26, 2014
Dec 27, 2014
Dec 28, 2014
Dec 29, 2014
Dec 31, 2014-Jan 1, 2015
Jan 3, 2015
Jan 4, 2015
Jan 5, 2015
Jan 8, 2015
Jan 9, 2015
Jan 11, 2015
Jan 12, 2015
Jan 13, 2015
Jan 14, 2015
Jan 20-21, 2015
Jan 27, 2015
Jan 28, 2015**
Jan 29, 2015
Feb 2, 2015
Feb 3, 2015
Feb 3, 2015

* First use of registered domain to
** Domain first observed by Trendmicro

It is important to note that the sites from which the malvertising were delivered are by and large unaware that their sites were used for delivering malware, and largely unable to do anything about it.

Whether Fessleak has been using zero-day exploits all along is indeterminate- Invincea doesn’t differentiate between zero-day exploits or known vulnerabilities when it stops attacks.  But if zero-day exploits were indeed used, it simply means that Invincea protected hosts have thwarted Fessleak’s campaign.  Other security wonks and anti-virus vendors are urging users to turn off Flash until it can be patched.  But Invincea FreeSpace users don’t have to scramble to disable plugins, switch browsers and find patches.  We protect them, even in the face of stacks of zero days.


You may also be interested in...

Ransomware’s Stronghold on Healthcare

read more

X by Invincea: HIPAA and HITRUST Compliance

read more

5 Questions to Ask About Machine Learning

read more