Security Alert: Aggressive Campaign Compromises Websites to Deliver Ransomware and Financial Malware
Infected websites redirect their visitors’ traffic to malware-spreading pages
As you’re reading this, an ongoing campaign is aggressively targeting legitimate web pages powered by insecure CMSs (Content Management Systems). The attackers’ objective is to inject malicious code – specifically EITest code – into these vulnerable websites.
As a result, when users visit the compromised websites, they will be automatically redirected to pages such as the ones below (selection sanitized for your protection):
gree.sitetrafficbrokers [.] com
more.sitetrafficbuilders [.] com
add.adtrafficbrokeradexchange [.] com
top.adtrafficmastersadexchange [.] com
new.admastersagency [.] com
add.private-meeting [.] com
new.theagingbusiness [.] com
far.theageingbusiness [.] com
sdf.sotograndepenthouses [.] com
org.admastersagency [.] info
The EITest infection string evolved by the end of 2016 to directly linked compromised websites to an exploit kit, such as RIG in this case.
The RIG exploit kit pages mentioned above are created through domain shadowing, a technique used by cybercriminals to expand their malicious infrastructure and hide their traffic from the authorities. The malware these pages download onto the victims’ computers depends on their geographic location. That’s because the payload is delivered through a sophisticated TDSs (Traffic Distribution Systems).
It’s no surprise, then, that a new banker – in this case, Panda Banker – has come on the scene, complete with a variety of information stealing mechanisms. Like many modern banking Trojans, Panda Banker appears to have roots in Zeus with sophisticated means of establishing persistence and uses in both targeted and widespread attacks.
Antivirus detection is unfortunately low, and it applies to both the exploit kit and the payload delivery.
Here are 3 examples:
For those who want a bird’s eye view of how a RIG exploit kit infection happens, the graphic below may come in handy:
As always, we’d like to close this alert with a few protection steps you can take:
- Explore the benefits of traffic filtering;
- Listen to the experts and keep all your software up to date all the time;
- And secure your data and devices with multiple layers.
*This article features cyber intelligence provided by CSIS Security Group researchers.