The Fiesta exploit kit has apparently learned a new trick, and is dropping two pieces of malware on unsuspecting victims’ machines.
“A few days ago, we began noticing a strange new pattern with the Fiesta exploit kit. We were getting a double payload where before only one was delivered,” explained Malwarebytes researcher Jerome Segura, in a blog. “So we decided to check our archives and figure out exactly what happened during the last few days.”
Previously, the kit simply used various exploits followed by a single malware drop, whose parent process is Java. In the past two days however, two payloads have started dropping by the Java process. Essentially, Fiesta EK is delivering a double payload from a single URL call. Once downloaded, it is extracted and gives birth to two executables: the Spyware.Zbot.ED and the Trojan.Agent.ED.