Cybersecurity researchers have identified a new variant of the WastedLocker malware that exploits two scripting engine vulnerabilities in unpatched Internet Explorer web browsers.
The new malware builds on the RIG Exploit Kit campaign, and was first discovered by Bitdefender researchers in February 2021.
Unlike the earlier campaign, this new malware is missing the ransomware component. Since it merely acts as a loader, the researchers have named it WastedLoader.
We’re looking at how our readers use VPN for a forthcoming in-depth report. We’d love to hear your thoughts in the survey below. It won’t take more than 60 seconds of your time.
According to the researcher’s analysis, the new WastedLoader campaign mostly attacked targets in Europe and the Americas.
Ransomware on demand
In their analysis, the researchers note that the malware’s exploitation chain starts with a malicious ad that’s put up on legitimate websites.
Clicking the malicious ad redirects potential victims to the landing page of “RIG EK”, which then serves two exploits based on the two IE vulnerabilities. Both of them are individually capable of downloading and executing the malware.
The campaign builds on proof-of-concept exploits for the two VBScript vulnerabilities to download, decrypt, and execute the malware.
The researchers note that the authors even put up an icon and a brief fake description for the malware to make it look like a legitimate process.
The malware works in four stages. After gathering details about the system, it sends them to its command & control (C2) server.
The researchers posit that the malware downloads a ransomware in the fourth stage. However they’ve been unable to put this to test as the C2 server failed to respond to the malware’s calls during the researcher’s tests.
In any case, the simplest mitigation for this malware is to switch to another web browser. Microsoft Edge has become the default web browser in Windows 10, for all intents and purposes, which only keeps IE around to maintain compatibility with older websites that still use legacy Microsoft web technologies.
