As you’re reading this, an ongoing campaign is aggressively targeting legitimate web pages powered by insecure CMSs (Content Management Systems). The attackers’ objective is to inject malicious code – specifically EITest code – into these vulnerable websites.

As a result, when users visit the compromised websites, they will be automatically redirected to pages such as the ones below (selection sanitized for your protection):

gree.sitetrafficbrokers [.] com
more.sitetrafficbuilders [.] com
add.adtrafficbrokeradexchange [.] com
top.adtrafficmastersadexchange [.] com
new.admastersagency [.] com
add.private-meeting [.] com
new.theagingbusiness [.] com
far.theageingbusiness [.] com
sdf.sotograndepenthouses [.] com
org.admastersagency [.] info

The EITest infection string evolved by the end of 2016 to directly linked compromised websites to an exploit kit, such as RIG in this case.


Source: Campaign Evolution: EITest from October through December 2016

The RIG exploit kit pages mentioned above are created through domain shadowing, a technique used by cybercriminals to expand their malicious infrastructure and hide their traffic from the authorities.  The malware these pages download onto the victims’ computers depends on their geographic location. That’s because the payload is delivered through a sophisticated TDSs (Traffic Distribution Systems).

the structure of sites that use traffic distribution systems

Source: Traffic Direction Systems as Malware Distribution Tools

The current campaign spreads Cerber ransomware and the new Panda banker (financial malware), whose roots lie in the Zeus code. As researchers stated:

It’s no surprise, then, that a new banker – in this case, Panda Banker – has come on the scene, complete with a variety of information stealing mechanisms. Like many modern banking Trojans, Panda Banker appears to have roots in Zeus with sophisticated means of establishing persistence and uses in both targeted and widespread attacks.

Antivirus detection is unfortunately low, and it applies to both the exploit kit and the payload delivery.

Here are 3 examples:

For those who want a bird’s eye view of how a RIG exploit kit infection happens, the graphic below may come in handy:

How Rig Exploit Kit Works

As always, we’d like to close this alert with a few protection steps you can take:

The easy way to protect yourself against malware
Here's 1 month of Thor Foresight Home, on the house!
Use it to: Block malicious websites and servers from infecting your PC Auto-update your software and close security gaps Keep your financial and other confidential details safe


Try Thor Foresight

*This article features cyber intelligence provided by CSIS Security Group researchers.

What is Ransomware
2017.05.15 SLOW READ

What is Ransomware – 15 Easy Steps To Protect Your System [Updated]

RIG Exploit Kit Cerber Ransomware outdated software
2017.01.13 QUICK READ

Security Alert: RIG EK Spreads Cerber, Targets Outdated Popular Apps

Financial Data Protection

15 Steps to Maximize your Financial Data Protection [Updated]


This exploit, among others, benefits from a weakness with many browsers. Badly designed browsers accept redirections, silently and without alerting the surfer. My experience of browsers is limited to IE, and a few browsers from each of the Chromium and Mozilla families. Only Firefox and its forks interrupt redirections to alert the surfer and ask for directions. Unfortunately, even this is badly implemented by putting a truncated version of the alternative target in the notification, and not allowing the surfer to have the full URL!

Love your updates, Thank you

Thank you so much, Ulriko! I’m really glad you find them useful.

Hello Maam, so i have website from wordpress automattic. They host the site and i dont even have my own hosting. So my question is, am i at risk?

Hi Ramin! If you keep WordPress and all your plugins up to date, you should be fine.

Leave a Reply

Your email address will not be published. Required fields are marked *