As you’re reading this, an ongoing campaign is aggressively targeting legitimate web pages powered by insecure CMSs (Content Management Systems). The attackers’ objective is to inject malicious code – specifically EITest code – into these vulnerable websites. As a result, when users visit the compromised websites, they will be automatically redirected to pages such as the ones below (selection sanitized for your protection): gree.sitetrafficbrokers [.] com more.sitetrafficbuilders [.] com add.adtrafficbrokeradexchange [.] com top.adtrafficmastersadexchange [.] com new.admastersagency [.] com add.private-meeting [.] com new.theagingbusiness [.] com far.theageingbusiness [.] com sdf.sotograndepenthouses [.] com org.admastersagency [.] info The EITest infection string evolved by the end of 2016 to directly linked compromised websites to an exploit kit, such as RIG in this case. EITest_1 Source: Campaign Evolution: EITest from October through December 2016 The RIG exploit kit pages mentioned above are created through domain shadowing, a technique used by cybercriminals to expand their malicious infrastructure and hide their traffic from the authorities.  The malware these pages download onto the victims’ computers depends on their geographic location. That’s because the payload is delivered through a sophisticated TDSs (Traffic Distribution Systems). the structure of sites that use traffic distribution systems Source: Traffic Direction Systems as Malware Distribution Tools The current campaign spreads Cerber ransomware and the new Panda banker (financial malware), whose roots lie in the Zeus code. As researchers stated:

It’s no surprise, then, that a new banker – in this case, Panda Banker – has come on the scene, complete with a variety of information stealing mechanisms. Like many modern banking Trojans, Panda Banker appears to have roots in Zeus with sophisticated means of establishing persistence and uses in both targeted and widespread attacks.

Antivirus detection is unfortunately low, and it applies to both the exploit kit and the payload delivery. Here are 3 examples:

For those who want a bird’s eye view of how a RIG exploit kit infection happens, the graphic below may come in handy: How Rig Exploit Kit Works As always, we’d like to close this alert with a few protection steps you can take:

The easy way to protect yourself against malware
Here's 1 month of Heimdal™ Threat Prevention Home, on the house!
Heimdal™ Threat Prevention Home
Use it to: Block malicious websites and servers from infecting your PC Auto-update your software and close security gaps Keep your financial and other confidential details safe


Download Free Trial


*This article features cyber intelligence provided by CSIS Security Group researchers.

Ransomware Explained. What It Is and How It Works

Security Alert: RIG EK Spreads Cerber, Targets Outdated Popular Apps

15 Steps to Maximize your Financial Data Protection


Thanks for this useful article.

This exploit, among others, benefits from a weakness with many browsers. Badly designed browsers accept redirections, silently and without alerting the surfer. My experience of browsers is limited to IE, and a few browsers from each of the Chromium and Mozilla families. Only Firefox and its forks interrupt redirections to alert the surfer and ask for directions. Unfortunately, even this is badly implemented by putting a truncated version of the alternative target in the notification, and not allowing the surfer to have the full URL!

Love your updates, Thank you

Thank you so much, Ulriko! I’m really glad you find them useful.

Hello Maam, so i have website from wordpress automattic. They host the site and i dont even have my own hosting. So my question is, am i at risk?

Hi Ramin! If you keep WordPress and all your plugins up to date, you should be fine.

Leave a Reply

Your email address will not be published. Required fields are marked *