Alert: Compromised Websites Spread Ransomware and Financial Malware
Infected websites redirect their visitors’ traffic to malware-spreading pages
As you’re reading this, an ongoing campaign is aggressively targeting legitimate web pages powered by insecure CMSs (Content Management Systems). The attackers’ objective is to inject malicious code – specifically EITest code – into these vulnerable websites. As a result, when users visit the compromised websites, they will be automatically redirected to pages such as the ones below (selection sanitized for your protection): gree.sitetrafficbrokers [.] com more.sitetrafficbuilders [.] com add.adtrafficbrokeradexchange [.] com top.adtrafficmastersadexchange [.] com new.admastersagency [.] com add.private-meeting [.] com new.theagingbusiness [.] com far.theageingbusiness [.] com sdf.sotograndepenthouses [.] com org.admastersagency [.] info The EITest infection string evolved by the end of 2016 to directly linked compromised websites to an exploit kit, such as RIG in this case. Source: Campaign Evolution: EITest from October through December 2016 The RIG exploit kit pages mentioned above are created through domain shadowing, a technique used by cybercriminals to expand their malicious infrastructure and hide their traffic from the authorities. The malware these pages download onto the victims’ computers depends on their geographic location. That’s because the payload is delivered through a sophisticated TDSs (Traffic Distribution Systems). Source: Traffic Direction Systems as Malware Distribution Tools The current campaign spreads Cerber ransomware and the new Panda banker (financial malware), whose roots lie in the Zeus code. As researchers stated:
It’s no surprise, then, that a new banker – in this case, Panda Banker – has come on the scene, complete with a variety of information stealing mechanisms. Like many modern banking Trojans, Panda Banker appears to have roots in Zeus with sophisticated means of establishing persistence and uses in both targeted and widespread attacks.
Antivirus detection is unfortunately low, and it applies to both the exploit kit and the payload delivery. Here are 3 examples:
For those who want a bird’s eye view of how a RIG exploit kit infection happens, the graphic below may come in handy: As always, we’d like to close this alert with a few protection steps you can take:
- Explore the benefits of traffic filtering;
- Listen to the experts and keep all your software up to date all the time;
- And secure your data and devices with multiple layers.
EASY AND RELIABLE. WORKS WITH ANY ANTIVIRUS.Download Free Trial
NO CREDIT CARD REQUIRED
Thanks for this useful article.
This exploit, among others, benefits from a weakness with many browsers. Badly designed browsers accept redirections, silently and without alerting the surfer. My experience of browsers is limited to IE, and a few browsers from each of the Chromium and Mozilla families. Only Firefox and its forks interrupt redirections to alert the surfer and ask for directions. Unfortunately, even this is badly implemented by putting a truncated version of the alternative target in the notification, and not allowing the surfer to have the full URL!
Love your updates, Thank you
Thank you so much, Ulriko! I’m really glad you find them useful.
Hello Maam, so i have website from wordpress automattic. They host the site and i dont even have my own hosting. So my question is, am i at risk?
Hi Ramin! If you keep WordPress and all your plugins up to date, you should be fine.