14 DAY TRIAL // In an attempt to evade detection, threat actors have modified the way Fiesta Exploit Kit (EK) delivers the payload to the target computer by sending two malicious files.
This sort of technique is not new and could be used to package different malware in order to increase the chances of a computer to get infected, as the security tool protecting the system may not detect both of them.
Security researcher Jerome Segura of Malwarebytes has analyzed this new behavior in Fiesta EK and found that the two malicious files are detected by the engines of many antivirus products from the VirusTotal service.
However, in some cases, only one of them is properly identified as malicious, which would put at risk the user relying on such a product.
A single file is downloaded on the computer, and when extracted, two executable files become available. As per Malwarebytes detection, one of them is a spyware and the other is a Trojan.
In his analysis, Segura noticed that the landing page for Fiesta EK contained various exploits, as well as a single malware file, with Java as the parent process. However, further investigation showed that two payloads were being dropped on the systems.