Over the weekend and into today, four different malvertising campaigns have been redirecting users to exploit kits that install password stealing Trojans, ransomware, and clipboard hijackers.

All four of these campaigns were discovered by exploit kit expert nao_sec and are being distributed through malvertising that redirect visitors to the exploit kits landing pages. These landing pages are typically hosted on hacked sites.

Once a user visits the site, the kit's scripts will attempt to exploit vulnerabilities in the visitor's browser to automatically download and install malware without the user's knowledge.

GrandSoft exploit kit installs the Ramnit banking trojan

On Saturday, nao_sec saw the GrandSoft exploit kit pushing the Ramnit banking trojan.

Ramit is a password stealing trojan that attempts to steal victims saved login credentials, online banking credentials, FTP accounts, browser history, site injections, and more.

GrandSoft pushing Ramnit

Rig exploit kit pushes Amadey and a clipboard hijacker

On Sunday, nao_sec continued to see exploit kit activity in the form of a popcash malvertising campaign redirecting users to the Rig exploit kit. This exploit kit targets the CVE-2018-15982 (Flash Player), CVE-2018-8174 (Microsoft Internet Explorer VBScript Engine ), and other vulnerabilities to infect visitors with malware.

Visitors running Internet Explorer who are redirected to the Rig landing page would then find their browsers crashing as the exploit kit installs malware.

Rig EK exploiting Internet Explorer

When nao_sec saw this campaign it was installing clipboard hijackers, which monitor the Windows clipboard for cryptocurrency addresses and substitute any that they find for addresses under their control. This is used to steal the payments that users think they are sending to legitimate wallet addresses.

For BleepingComputer, the exploit kit installed the Amadey trojan, which adds a victim's computer to a botnet, steals information from the computer, and downloads and executes other malware.

Fallout exploit kit pushes a clipboard hijacker

Earlier today, nao_sec discovered the Fallout exploit kit distributing a clipboard hijacker.

nao_sec told BleepingComputer that the Fallout exploit kit targets the CVE-2018-8174 (Microsoft Internet Explorer VBScript Engine ) and CVE-2018-15982 (Flash Player) vulnerabilities.

Radio exploit kit installs the Nemty Ransomware

Finally, nao_sec also saw today another malvertising campaign pushing the Radio exploit kit that is installing the Nemty Ransomware.

Nemty has been gaining traction over the past few weeks and has been spotted being distributed by the Rig exploit kit in the past and through sites that impersonate major brands like PayPal.

The researcher told us that the RadioEK is a "very poor tool" as it targets the CVE-2016-0189 vulnerability in JScript and VBScript for Internet Explorer that Microsoft patched in 2016.

RadioEK in a malvertising campaign

Protecting yourself from exploit kits

In order for an exploit kit to work, they must find vulnerabilities to exploit in outdated software and operating systems.

Therefore, your best defense against an exploit kit is to always make sure you have the latest security updates installed for both your OS and any software you have installed.

When focusing on software updates, it is important to update any programs that interact with a web browser to add additional functionality such as Adobe Flash, PDF Readers, and similar programs.