Popular Indonesian Tech News Site Serves up a Side of Malware
<p>
Raytheon | Websense® Security Labs™ researchers have identified a recent malvertising campaign affecting a popular Indonesian technology news site, Tabloid Pulsa. Users browsing to this site are being redirected to an exploit kit and served up malware, due to a compromised advertising script that is being used by the site.</p>
<p>
Raytheon | Websense customers are protected against this threat via real-time analytics with ACE, the Websense <a href="http://www.websense.com/content/websense-advanced-classification-engine.... rel="nofollow" target="_blank">Advanced Classification Engine</a>.</p>
<h2>
Compromised Website</h2>
<p>
The compromised website in question is <em>tabloidpulsa[.]co[.]id</em>, a popular Indonesian site that has close to 1 million hits per month according to <a href="http://www.similarweb.com/website/tabloidpulsa.co.id#overview" target="_blank">SimilarWeb</a>. The website is using a Revive Adserver script which has been compromised, and this is not the first time we've <a href="http://blogs.websense.com/security-labs/large-malvertising-campaign-lead... target="_blank">seen these scripts compromised</a>. The script has been modified to insert an iFrame that leads to another malicious site, which then redirects to Nuclear Exploit Kit.</p>
<p>
<img alt="" src="/sites/default/files/blog/legacy/security-labs/5417.tabloidpulsa_similarweb.png-550x0.png" style="height:326px; width:550px" /></p>
<p>
The compromised advertising script is hosted on a third-party website, <em>ox[.]indomediagroup[.]com</em> and is used by at least 2 other popular Indonesian sites, meaning that users browsing to those sites may also be affected.</p>
<p>
Here is the full infection chain:</p>
<p>
<em>tabloidpulsa[.]co[.]id--> ox[.]indomediagroup[.]com/www/delivery/afr.php?zoneid=83&cb=INSERT_RANDOM_NUMBER_HERE&ct0=INSERT_CLICKURL_HERE</em> - <strong>Compromised Revive Ad Server script</strong><em>--> rectangle[.]radionasarijecchicago[.]com/fxxnem4.html</em><strong><em> </em>- Malicious redirect</strong><em>--> hofawubv[.]mine[.]nu/forum/index.php?showtopic=420</em> - <strong>Nuclear Exploit Kit</strong></p>
<h2>
Malware Payload</h2>
<p>
When we analyzed the infection chain for this attack on November 3, Nuclear Exploit Kit decided to exploit our outdated version of Adobe Flash Player with vulnerability CVE-2015-5122 (<a href="https://www.virustotal.com/en/file/09c2e2d19d56f87c5b5342d95422e12d929f9... target="_blank">VirusTotal</a>), and then dropped what seems to be a new variant of the Ursnif malware:</p>
<p>
<a href="https://www.virustotal.com/en/file/514b0d82faa73cee71e7b9323411f496be435... target="_blank">https://www.virustotal.com/en/file/514b0d82faa73cee71e7b9323411f496be435...
<p>
This Ursnif variant uses the following command and controls (C&C) over HTTP:</p>
<p>
<em>rastobona[.]comartefaki[.]comspamhausanilingus[.]rugazivitaton[.]ru</em></p>
<p>
And the following C&C over UDP port 9772:</p>
<p>
<em>95[.]215[.]110[.]147</em></p>
<p>
Ursnif is capable of intercepting, modifying, and exfiltrating traffic from browsers such as Internet Explorer, Chrome, and FireFox, as well as providing a general purpose backdoor into the user's system.</p>
<h2>
Summary</h2>
<p>
Malvertising remains as popular as ever when it comes to a cybercriminal's weapon of choice for web-based exploits, and compromising advertising scripts can open up a large surface area of potential victims. It is important for a business to consider which third-party scripts they decide to use, in order to minimize their security risk. Raytheon | Websense will continue to monitor this malvertising campaign and associated malware.</p>