News Categories
(34)Malware (39)Malicious emails (11)Web 2.0 (24)Facebook (22)Social Networks (44)Spam (2)Defensio (1)Comment Spam (15)Phishing (9)Web spam (4)Click-jacking (38)Compromise (20)Analysis (38)Exploits (14)Research (3)Presentations (3)Conferences (4)security conference (9)Mass Injection (10)Rogue AV (4)Blackhat SEO (2)Neosploit (23)Targeted attacks (7)Video (14)Zeus (5)Microsoft (4)Monthly Reports (1)twitter (3)Google (18)Vulnerabilities (9)Adobe (12)Java (4)Mobile (4)Apple (1)hacked (1)TAB (1)Black Hat USA 2011 (1)Google+ (20)0-day (1)CVE-2010-2884 (1)CVE-2011-1255 (1)Worm (14)Blackhole exploit kit (1)Incognit Exploit kit (2)Tuesday Patch (6)APT (6)Typosquatting (3)Vulnerability Analysis (1)CVE-2011-3402 (4)Web Research (4)Predictions (3)Adult (5)News (3)Black Hat SEO (6)Data loss (8)Scam (1)QR codes (6)Twitter (1)CVE-2012-0003 (1)CVE-2011-3389 (1)CVE-2012-0004 (1)Phoenix Exploit Kit (1)CrimePack (3)Reverse Engineering (2)Captcha (1)Valentine's day (2)Kelihos (1)SC Magazine Award Winner (1)Wordpress (1)MS12-010 (1)CVE-2012-0002 (1)Infosec (2)CVE-2012-0507 (8)Toolkits (1)Skywiper (2)Flame (1)Flamer (2)Passwords (1)freedom of expression (1)censorship (2)Plugins (3)Malvertising (14)Exploit (1)CVE-2012-1723 (1)CSI (2)ThreatSeeker (2)Adventures in Spam (1)CVE-2012-4681 (1)LBS (2)RAT (1)module Apache/2 (1)Cyber Monday (1)Black Friday (1)Pastebin (4)CVE-2012-4792 (1)iPad (1)super bowl (1)iPhone (2)iOS (4)Spear Phishing (1)Threat Report (3)ThreatScope (1)Dynamic DNS (1)China (1)SSL (1)APT1 (2)DLP (3)Hack (1)CVE-2012-4969 (2)threat lifecycle (1)ThreatSeeker Network (1)ACE (10)exploit kit (1)blackhole (2)Black Hole (1)DNS poisoning (1)RedKit Exploit Kit (4)exploit kits (1)threat stages (1)Certificates (1)Topical (1)Waterhole (1)CVE-2013-2463 (1)Neutrino exploit kit (1)CVE-2013-2473 (1)CVE-2013-3893 (2)Collective Threat Intelligence (1)CVE-2013-3963 (1)Targeted Attack (3)Advanced Malware (1)CVE-2013-3897 (1)Tor (5)cyber-crime (1)Mevade (2)Ransomware (3)Social Engineering (1)CookieBomb (2)LinkedIn (1)CVE-2013-3906 (2)Pony (3)Cryptolocker (2)Upatre (1)application telemetry (1)meta-data (3)dr. watson (1)windows error reporting (1)big data (2)data theft prevention (1)DTP (1)telemetry (2)CVE-2014-0322 (2)MSIE 0-day (1)Deputy Dog (1)Ephemeral Hydra (1)CVE-2013-0074 (1)CVE-2013-3896 (1)Silverlight (2)crash reports (1)POS (1)anomaly detection (1)goon (4)angler (1)ru:8080 (1)magnitude (3)flash (1)CVE-2013-2465 (1)malicious iframes (1)FIESTA (1)Exploits Kit (1)iframe (3)CVE-2014-0160 (2)OpenSSL (3)Heartbleed (3)Citadel (2)CVE-2014-1776 (1)VGX.DLL (1)necrus (1)cutwail (2)gameover (3)vulnerability (3)zbot (1)control panel (1)carberp (1)zberp (1)Caphaw (2)Nuclear exploit kit (1)Shylock (1)Dragonfly (1)Zeus PIF (1)bitly (1)fraud (2)RIG Exploit Kit (1)POS malware (1)Point Of Sale Malware (1)Ukraine (1)Russia (1)Shellshock (1)CVE-2014-6271 (1)poodle (1)cve-2014-3566 (1)sslv3 (1)Ebola (1)CVE-2014-4114 (1)CPA (1)Regin (1)CVE-2015-0311 (1)CVE-2015-0235 (1)linux (1)GHOST (1)CVE-2015-0072 (1)Internet Explorer (1)XSS (1)IE (1)TorrentLocker (1)Product Information (1)Money Laundering (1)APSA10-05 (1)Skype spam
RSS Feed
News
Oct
28
Official Website of Popular Science Compromised
Posted by AToro on 28 October 2014 10:55 PM

Websense® ThreatSeeker® Intelligence Cloud has detected that the official website of Popular Science has been compromised and is serving malicious code. Popular Science is a well-established monthly magazine with a readership of more than a million, focusing on making science and technology subjects accessible to the general reader. The site is injected with a malicious code that redirects users to websites serving exploit code, which subsequently drops malicious files on each victim's computer.

 

Websense Security Labs™ has contacted the IT team of Popular Science with a notification regarding the compromise.

 

 

The main page of Popular Science on October 28, 2014:

 

Websense customers are protected from this threat by ACE, our Advanced Classification Engine, at the following stages of the seven stages an advanced threat goes through when attempting to steal your data:

  • Stage 2 (Lure) - ACE has detection for the compromised websites.
  • Stage 4 (Exploit Kit) - ACE has detection for the malicious code that attempts to execute this cyber attack.

 

Analysis

The website has been injected with a malicious iFrame, which automatically redirects the user to the popular RIG Exploit Kit. The same Exploit Kit has been used in the compromise of METRO’s website as well. The exploit kit launches various exploits against the victim which – if successful – will result in a malicious executable dropped on the user’s system.

 

The injected iFrame:

 

In most cases, malicious injections redirect the user to a TDS, which then further redirects to the exploit kit’s landing page. However, as it is often the case with the RIG Exploit Kit, the injected code sends the victim directly to the landing page.

 

Obfuscated RIG Exploit Kit landing page:

 

The exploit kit landing page is heavily obfuscated to make analysis and detection more difficult. Before launching any exploit, the RIG Exploit Kit uses CVE-2013-7331 XMLDOM ActiveX control vulnerability to list antivirus (AV) software on the target system.

 

Checking for AV:



 

This technique has been used by a number of exploit kits recently, most notably the Nuclear and Angler exploit kits. If the user doesn’t have any of the checked AVs installed, then the exploit kit proceeds to evaluate the installed plug-ins and their versions, in particular Flash, Silverlight, and Java. If a vulnerable plug-in is found, the appropriate exploit is launched.

 

De-obfuscated script launching Java Exploit:

 

 

High-Level Stats: Who is impacted by this injection?

 

Websense telemetry indicates that this type of injection is widespread across the globe. Multiple industries are seen to be continuously affected by this threat.

 

Affected countries:

 

Affected industries:

 

 

Conclusion

As we mentioned in the past, compromising popular web pages is a popular technique used by cyber criminals to launch their attacks. It is important that users employ advanced security products that can protect them at various stages of the attacks.


Read more »



Jul
22
METRO.US Website Compromised to Serve Malicious Code
Posted by Ran Mosessco on 22 July 2014 08:48 PM

Websense® ThreatSeeker® Intelligence Cloud has detected that the U.S. version of the Metro International website (metro.us) has been compromised and is serving malicious code. Metro newspaper editions are distributed in high-traffic commuter zones or in public transport networks. In the U.S., Metro is published in New York, Boston, and Philadelphia, and is "written and designed for young and ambitious professionals." The U.S. website has over 1 million visitors a month. When a visitor goes to the main page, metro.us redirects to metro.us/newyork/. That page is injected with a malicious iFrame that redirects users to websites serving exploit code, which subsequently drops malicious files on the victim's computer.

 

Websense Security Labs™ has contacted the IT team of metro.us with a notification regarding the compromise, and they are investigating the issue.

Please note that in the UK there is an unrelated Metro publication (Associated Newspapers), which is not linked to the campaign in question.

 

metro.us main page as of 22 July 2014:


 

 

SimilarWeb.com statistics for metro.us



 

Websense customers are protected from this threat by ACE, our Advanced Classification Engine, at the following stages:

 

  • Stage 2 (Lure) - ACE has detection for the compromised websites.
  • Stage 3 (Redirect) - ACE has detection for the injected code that redirects the user to the exploit page.
  • Stage 4 (Exploit Kit) - ACE has detection for the malicious code that attempts to execute this cyber attack.
  • Stage 5 (Dropper Files) - ACE has detection for the binary files associated with this attack.
  • Stage 6 (Call Home) - Communication to the associated C&C server is prevented.

 

Analysis

 

The injected code has been found in multiple locations within the main website. When a user browses to the main website, the injected code loads automatically, and silently redirects the user through a TDS (Traffic Distribution System or Traffic Direction System) to a website hosting the RIG Exploit Kit. The exploit kit tries to load exploit codes to exploit various vulnerabilities, in order to drop a malicious executable on the victim's computer.

 

Here is a sample of the injected iFrame (which was found on multiple pages on metro.us):

 

The redirection target from the iFrame (hxxp://fsbook.us/?mt) is part of the TDS. It sets a cookie (to thwart repeated analysis attempts), then redirects to hxxp://fsbook.us/link.php:

 

 

hxxp://fsbook.us/link.php in turn redirects to the RIG Exploit Kit landing page:

 

RIG Exploit Kit

 

RIG "came on the scene" around April 2014, and was heavily used to distribute ransomware such as Cryptowall.

According to Websense ThreatSeeker Intelligence Cloud telemetry, as expected for this specific campaign, most of the victims come from the U.S. and Canada, but let's take a broader look at the geographic telemetry from RIG Exploit Kit, in the last 2 months:

 

 

Top 10 Countries affected by RIG Exploit Kit 


Country     Percent of Total
United States 32.36%
Canada 6.10%
United Kingdom 5.97%
Australia 5.84%
India 4.51%
Italy 3.72%
Peru 3.58%
Germany 2.52%
South Africa 2.39%
France 2.12%

 

 

We still see a heavy bias towards the U.S., Canada, the UK, and Australia, which aligns with what cyber criminals regard as "high quality" traffic. 

 

The RIG Exploit Kit landing page is heavily obfuscated (which is typical with exploit kits). It functions in a similar way to other crimeware exploit kits, in that it tries to load exploit code for vulnerable plug-ins, such as Java, Flash, and SilverLight.

Like other prominent exploit kits, the request headers must have a correct referrer to load the malicious content. In this case, the referrers were metro.us compromised pages.

Example URL for a landing page:

hxxp://picture.slightlywrong.com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|YWMyMmFmNzVmYmZkOWNiZmJiMmQ5ZjZlODQzZWI3MjU

 

 

One of the scripts loads code pointing to the jar file location, in order to exploit a Java vulnerability.

hxxp://picture.slightlywrong.com/index.php?req=xml&num=6845&PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|YWMyMmFmNzVmYmZkOWNiZmJiMmQ5ZjZlODQzZWI3MjU

 

hxxp://picture.slightlywrong.com/index.php?req=jar&num=9791&PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg%7CYWMyMmFmNzVmYmZkOWNiZmJiMmQ5ZjZlODQzZWI3MjU

 

Taking advantage of the exploit, an obfuscated executable is dropped on the victim's computer:

 

 

 

 

Virus Total detection for the dropped file, at the time of writing, is 7/53

 

 

The malware that was dropped has a few notable features:

 

  • Queries information on disks, possibly for anti-virtualization
  • Retrieves Windows ProductID, probably to fingerprint sandboxes
  • Checks for presence of known windows from debuggers and forensic tools
  • Steals private information from local Internet browsers
  • Installs itself for autorun at Windows startup

 

Communication has been observed to these hosts:

hxxp://report.oce3a7ku179a17e3.com/

hxxp://update.jffgrr8.com/

 

Communication was also observed to:

http://www.bing.com/chrome/report.html

 

Here is Websense' Threatscope™ sandbox report for a file dropped in this attack.

 

Conclusion

As we can see, compromising popular media web pages continues to be a common threat. Websense Security Labs blogged a month ago about another popular site that was compromised, and there will likely be more cases of this sort in the near future since the "high quality" traffic is desirable to cyber criminals (perhaps suggested by heavy U.S./Canada/UK/Australia bias). We can see that the cyber criminals use various methods to increase the chance of infection while trying to maintain anonymity through use of a TDS (in some cases more than one). While RIG Exploit Kit is popular now, we see other exploit kits such as Angler, Goon/Infinity, Nuclear Pack, and Magnitude used for similar purposes. In many cases, the TDS rotates between different exploit kits.

 

Contributors: Ran Mosessco, Elad Sharf, Abel Toro


Read more »