Forcepoint Security Labs™ identified this week that a well known transport company's website had been compromised. We discovered that it was redirecting users to Angler Exploit Kit (EK). Forcepoint informed the company who were quick to respond and address the issue. Users browsing to the site were exposed to malware being silently dropped onto their system and executed in the background. When we analyzed the infection we saw that users were being redirected to Angler EK which was then exploiting CVE-2015-8651, affecting Adobe Flash Player versions up to 220.127.116.11 and 18.104.22.168.
The website in question belongs to a transport company that is very popular in Europe, whose name we have redacted due to us assisting with on-going investigations. The website uses Joomla, which is no stranger to vulnerabilities and attacks in the wild, but we do not know whether the website was compromised due to an attack on their Joomla installation or not.
fig 1. Injected code on compromised website
The code injected into the website in this instance was a very large piece of obfuscated code, a snippet of which can be seen in fig 1. The intention of the code was to redirect users to an exploit kit known as Angler EK, and we see this type of code injected into hundreds of websites on a daily basis. The actors behind the code sometimes redirect users to Neutrino EK for a few days as they did at the beginning of January, but they almost always lead to Angler.
fig 2. Angler EK activity in January
The infection chain was as follows, simplified to only show the significant requests in the chain:
Compromised site: hxxp://www.**redacted**.com/de/
--> Angler EK landing page: hxxp://fbendservent-gratulabitur.brotherhoodmc[.]org/boards/index.php?
--> Angler EK Flash Exploit (CVE-2015-8651): hxxp://fbendservent-gratulabitur.brotherhoodmc[.]org/similar.jsf?
--> Angler EK CryptoWall 4.0 payload: hxxp://fbendservent-gratulabitur.brotherhoodmc[.]org/former.xhtm?
--> CryptoWall 4.0 command-and-control: hxxp://yardstickglobal[.]in/Y37Jux.php?
Flash Player Exploit - CVE-2015-8651
fig 3. Angler EK requesting a SWF exploit
The Adobe Flash Player exploit used in this attack managed to leverage a very recent vulnerability, CVE-2015-8651 which Kafeine recently wrote about on his blog. We managed to de-compile the exploit that we were given by Angler EK, and identified the routine that triggers the vulnerability:
fig 4. Angler EK's CVE-2015-8651 exploit trigger
Antiy Labs wrote a nice blog on how CVE-2015-8651 works, which is essentially an integer overflow vulnerability.
Angler EK is currently the only commercial exploit kit that is leveraging this vulnerability, while other EKs such as Neutrino, Nuclear and RIG are using exploits for older Flash vulnerabilities. Flash Player versions up to and including 22.214.171.124 and 126.96.36.199 are affected by CVE-2015-8651. Adobe patched the vulnerability from version 188.8.131.520 onwards.
The SHA1 of the sample we encountered is 918efa4d30ad6018c7b7c7a66d701a3d122dfeac and we have also uploaded the unpacked SWF to VirusTotal for other researchers to analyze.
In the infection chain that we analyzed, the CryptoWall 4.0 ransomware was downloaded and executed on our machine. We will not go into any details about CryptoWall 4.0 in this blog, which has been thoroughly documented in recent months.
The command-and-control proxy servers that we obtained from the CryptoWall sample (6af2aa305bc7da913ece5a5c98b214f3dae63738) are listed below:
hxxp://premierdisneyvilla.com/QXeHOy.php hxxp://thebeautythesis.com/UaEigq.php hxxp://wallpapersau.net/igrHKY.php hxxp://neoad.de/NXy1mb.php hxxp://jlprotect.ca/_poxuV.php hxxp://dunwoodypress.com/DJHMXS.php hxxp://zolty.eu/bnFKET.php hxxp://behejbrno.com/MixtUZ.php hxxp://campaignforyoungamerica.org/LT3YRB.php hxxp://pc.all-to-all.com/Ryfq7Y.php hxxp://apexminerals.com.au/k8HqvL.php hxxp://macphoto.nl/7NBUqj.php hxxp://acie.edu.np/DFQvsZ.php hxxp://international.woptimo.com/YglxHK.php hxxp://t-firma-en.itech-websolutions.com/U2Ac7i.php hxxp://artistblip.com/QJ9HzW.php hxxp://villisplace.info/fJQ_3v.php hxxp://jogos.testeqi.com.br/4t1E7X.php hxxp://telecom-sa.com/azRXqt.php hxxp://dolphinworld.org/MaB54K.php hxxp://yardstickglobal.in/Y37Jux.php hxxp://noahwilbanks.com/PtXsO_.php hxxp://kskillsmobility.eu/ludO0_.php hxxp://liberal.com.mx/0My2EZ.php hxxp://itt-pushkino.org/D2BE6m.php hxxp://avazuinc.com/D04m5N.php hxxp://empiredigitalmarketing.com/09LihY.php hxxp://apptitudes.fr/eC2F1f.php hxxp://ifawindow.co.uk/0w5MVI.php hxxp://calsalumni.iastate.edu.staging.sites.flyinghippo.com/ScXajM.php hxxp://grafitti-photo.com/IGHOYq.php hxxp://bem-bakery.com/HPINRS.php hxxp://dentiste-paris-20.fr/IhfweE.php hxxp://daddysground.cz/zTVoGb.php hxxp://hatha.it/6tnLEG.php hxxp://bulksmsdealer.com/vR3BEX.php hxxp://mangohills.net/RxIoCE.php hxxp://aspectdesigns.com.au/0rTVlG.php hxxp://acmm.org.au/idjFbx.php hxxp://emotionwerbung.de/389Tak.php hxxp://indonesiandomains.com/e9vsxj.php hxxp://myteaminspired.com/mzTOIv.php hxxp://monicasalvador.com.ar/btWiaQ.php hxxp://turbosol.asia/l7xydO.php hxxp://hand-made.by/rQWftY.php hxxp://conseils-finance.com/kJsnUb.php hxxp://stevesyachtrepair.com/S8bJFl.php hxxp://morainecare.com/eQRvWp.php hxxp://taftee.in/JnGQ1s.php hxxp://larosa.com.au/8beYcC.php hxxp://itvsoft.asia/rRwKxj.php hxxp://jameswbos.com/v10aAJ.php hxxp://giaohang.org/lCs_PE.php hxxp://thebesttshirtsonline.com/CF9iM8.php hxxp://vancouverdispensarycoalition.ca/euqUb5.php hxxp://muel.altervista.org/z1ho2W.php hxxp://edlenimaging.com/be5AmR.php hxxp://goldenangels.com.tr/l4Fw8D.php hxxp://uzmankirala.com/KhVRbv.php hxxp://igotocd.com/rklVaO.php hxxp://dining-bar.com/BQ_Ln4.php hxxp://jadwalpialadunia.in/rG4Rdi.php hxxp://en.theolympiaschools.edu.vn/FCfXeB.php hxxp://ihadthat.com/1NEnbi.php hxxp://directoryassistanceamerica.com/XeBUDN.php hxxp://australianmotorinns.com/9ctKlH.php hxxp://event-travel.co.uk/3K6Psd.php hxxp://london-escorts-agency.org.uk/fdnmyD.php hxxp://vinastudio.at/8TkXUJ.php hxxp://jjcampbell.com/1wK5Iy.php
Forecepoint™ customers are protected against this threat via TRITON® ACE at the following stages of attack:
- Stage 4 (Exploit Kit) - The Angler EK pages are identified and prevented from exploiting the user's browser.
- Stage 6 (Backchannel Traffic) - Attempts by the CryptoWall 4.0 malware to contact its command-and-control server are detected and blocked in real-time.
Observations - An Attack on One is an Attack on All
What is interesting to note is that the compromised site in question is the 'front door' to one of the services provided by a major European company. Within the company portfolio are services in the areas of airlines, car hire, mass transit, Internet and even hotel and lettings. As with similar organizations, these services are integrated at the marketing and customer communications level. Receiving an email from the group on say mass transit will include references and links to their other services. In this particular case, one of our researchers subsequently identified the compromised site linked from a booking confirmation email for a different group member service. This illustrates two considerations:
That it only takes one weak link to allow those with malicious intent to potentially 'reach out' to the whole of the corporate customer base and
When building customer messaging material, extra rigor should be considered when including links to other services both to external services but especially those 'in-house'. Don't just be careful what you click on, be careful what you link to.
Angler EK continues to be one of the biggest threats to individuals and organizations around the globe. The adoption of one of the newest vulnerabilities in Adobe Flash Player, in conjunction with compromising high profile websites, guarantees that the criminals behind Angler EK have a large surface area of potential victims. It is important to keep up to date with software updates, especially for Adobe Flash Player which is often the weapon of choice for malware actors when it comes to finding vulnerabilities.