Burrp compromised to serve Angler EK and deliver TeslaCrypt ransomware

KNOWLEDGE BELONGS TO THE WORLD
Share on FacebookTweet about this on TwitterShare on LinkedInShare on RedditShare on Google+Share on TumblrPin on PinterestDigg this

An Indian restaurant recommendation site contains injected code which redirects users to the Angler EK, which in turn drops TeslaCrypt (Trojan.Cryptolocker.N) on the computer.

A popular Indian restaurant recommendation site called Burrp was compromised to redirect users to the Angler exploit kit (EK) in order to deliver the TeslaCrypt ransomware (detected as  Trojan.Cryptolocker.N). The attack appears to be related to a technique described in a recent SANS advisory, as it used the gateway [MALICIOUS SITE].info/megaadvertize.

The site has been sending users to the exploit kit since the beginning of February and still appears to be affected at the time of writing. Most of the users who have been impacted by this attack are based in the US and India.

f1_burrp_heatmap_LOB.png

Symantec notified Burrp of the compromise and the company has stated that it is working to resolve the issue.

How the attack works
The attackers compromised Burrp by injecting code into one of the site’s JavaScript files (jquery-form.js). This code redirects users to [MALICIOUS SITE].info which includes the “megaadvertize” string in the URL.

f2_megaadImage._blurjpg.jpg
Figure 2. Injected code on Burrp originally redirected users to a malicious site with “megaadvertize” in the URL

Recently, we observed that the “megaadvertize” string has since changed to “hellomylittlepiggy”.

Fig3-redirection_pattern_2_blurred.png
Figure 3. Injected code on Burrp now redirects users to a malicious site with “hellomylittlepiggy” in the URL

From here, the site gets a script from the exploit kit’s server. The script then sends a POST request to the same remote location. The response to this request includes an .html file which redirects users to the Angler exploit kit landing page.

Fig4-new_angler_redirect_blurred.png
Figure 4. Decoded .html file shows the URL pattern for the Angler exploit kit landing page

This page decrypts the exploit kit’s landing page content using the Tiny Decryption algorithm with the key “2654435769” in decimals.

From here, Angler attempts to exploit the Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-6332). If the exploit succeeds, then the TeslaCrypt payload is dropped onto the computer. If the exploit doesn’t work, then the kit drops an .swf file with an exploit for the Adobe Flash Player and AIR Unspecified Integer Overflow Vulnerability (CVE-2015-8651) to download TeslaCrypt onto the computer.

In the past few days, Angler has also been observed delivering exploits for the Microsoft Silverlight Remote Code Execution Vulnerability (CVE-2016-0034).

TeslaCrypt in action
Once TeslaCrypt arrives, it writes an executable file to memory, which carries the Trojan’s main functionality. It encrypts files with the RSA-4096 algorithm and adds the .micro extension to them. The Trojan then drops the ransom message into every folder with encrypted files. This notice demands that the user pays in bitcoins to obtain the decryption key and restore their data.

f4_teslacrypt.jpg
Figure 5. TeslaCrypt’s ransom warning

Mitigation
Attackers have been known to actively search for sites with security flaws in order to use them as unwitting hosts for their campaigns. As well as injecting code into sites, attackers can also take advantage of ad networks to host malicious ads on affected sites.

The best way for users to avoid infection from these types of attacks is to take preemptive action:

  • Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by attackers.
  • Always keep your security software up to date to protect yourself against any new variants of malware.
  • Regularly back up any files stored on your computer. If your computer does become infected with ransomware, your files can be restored once the malware has been removed.

If you suspect that a site you use has been compromised, notify the site’s administrator as soon as possible to prevent the attack from spreading further.

Protection
Symantec and Norton products have the following detections in place against this campaign:

AV

  • Exp.CVE-2014-6332
  • Exp.CVE-2015-8651
  • Trojan.Cryptolocker.N

IPS

  • Web Attack: Exploit Kit Redirect 4
  • Web Attack: Exploit Kit Redirection 2
  • Web Attack: Angler Exploit Kit Website 6
  • Web Attack: Angler Exploit Kit Flash Exploit 6
  • System Infected: Trojan.Cryptolocker.N Activity 3
  • System Infected: Trojan.Cryptolocker.N Activity 9
  • Web Attack: Malicious Silverlight File Download 22

Source:http://www.symantec.com/

KNOWLEDGE BELONGS TO THE WORLD
Share on FacebookTweet about this on TwitterShare on LinkedInShare on RedditShare on Google+Share on TumblrPin on PinterestDigg this