Alert: Compromised Websites Spread Ransomware and Financial Malware

As you’re reading this, an ongoing campaign is aggressively targeting legitimate web pages powered by insecure CMSs (Content Management Systems). The attackers’ objective is to inject malicious code – specifically EITest code – into these vulnerable websites. As a result, when users visit the compromised websites, they will be automatically redirected to pages such as the ones below (selection sanitized for your protection): gree.sitetrafficbrokers [.] com more.sitetrafficbuilders [.] com add.adtrafficbrokeradexchange [.] com top.adtrafficmastersadexchange [.] com new.admastersagency [.] com add.private-meeting [.] com new.theagingbusiness [.] com far.theageingbusiness [.] com sdf.sotograndepenthouses [.] com org.admastersagency [.] info The EITest infection string evolved by the end of 2016 to directly linked compromised websites to an exploit kit, such as RIG in this case. Source: Campaign Evolution: EITest from October through December 2016 The RIG exploit kit pages mentioned above are created through domain shadowing, a technique used by cybercriminals to expand their malicious infrastructure and hide their traffic from the authorities.  The malware these pages download onto the victims’ computers depends on their geographic location. That’s because the payload is delivered through a sophisticated TDSs (Traffic Distribution Systems). Source: Traffic Direction Systems as Malware Distribution Tools The current campaign spreads Cerber ransomware and the new Panda banker (financial malware), whose roots lie in the Zeus code. As researchers stated:

It’s no surprise, then, that a new banker – in this case, Panda Banker – has come on the scene, complete with a variety of information stealing mechanisms. Like many modern banking Trojans, Panda Banker appears to have roots in Zeus with sophisticated means of establishing persistence and uses in both targeted and widespread attacks.

Antivirus detection is unfortunately low, and it applies to both the exploit kit and the payload delivery. Here are 3 examples:

For those who want a bird’s eye view of how a RIG exploit kit infection happens, the graphic below may come in handy: As always, we’d like to close this alert with a few protection steps you can take:

• Explore the benefits of traffic filtering;
• Listen to the experts and keep all your software up to date all the time;
• And secure your data and devices with multiple layers.

*This article features cyber intelligence provided by CSIS Security Group researchers.