Friday, Jan 22, 2016

Public Holidays Website Leads to RIG EK & Drive-by Download of Qakbot Malware

Nicholas Griffin Security Researcher

It is the beginning of 2016.  Most of us will be building our calendars around the year's public holidays. Many of us would of course use Google search to find these dates. But browsers beware, because one of the top results may result having your credentials and monies stolen by malware. The website in question: officeholidays[.]com, has been compromised and leads users to RIG exploit kit (EK).

Compromised Website

If you were to search for the term "public holidays" on Google UK then the website officeholidays[.]com would currently appear to you in the top three results. This site currently has an estimated 1 million visitors per month according to SimilarWeb.

However, this site has been compromised and visitors are being silently redirected to malicious content that will drop malware onto their machines. During our analysis we saw the following malicious traffic occurring:

Hand Crafted Javascript

What caught our attention and we believe is noteworthy is that a Javascript named slider.js has been included into officeholidays[.]com. This Javascript file does not seem to be a legitimate one that is used by the site. It has been included in such a way that it looks completely legitimate. This does not seem indicative of an automatic process that injects code into compromised websites. This is the behavior which we normally see. Instead, it seems likely to have been hand crafted and by someone who has taken the time to understand the code formatting and resource inclusions of the website.

Ultimately, we were silently redirected to an exploit kit called RIG. This attempts to find and exploit vulnerabilities on our system in order to execute malware.

 

RIG Exploit Kit & Qakbot Payload

RIG EK was able to successfully exploit a vulnerability (CVE-2015-5122) in our Adobe Flash Player version 19.0.0.207. Interestingly though, we found that RIG EK would not successfully exploit some newer Flash Player versions such as 19.0.0.245, despite other exploit kits such as Angler being able to do so.

After successful exploitation a malware payload was downloaded from the RIG EK server. RIG is known to use a simple XOR on the payload and in this instance the XOR key was "vwMKCwwA".

The resulting malware was Qakbot (SHA1:8f01932de5c565fa6d559998cc1938ac5f23c264), which is a multi-capable credential theft trojan that steals passwords, certificates, cookies, browser traffic and anything it can get its hands on. It  has plenty of anti-VM capabilities as an attempt to prevent auto-analysis tools from executing the malicious code, as well as being able to spread to network shares and removable drives.

Qakbot will capture browser traffic to and from banking websites if they match on pre-defined URL patterns, such as those in the following snippet that we extracted during our analysis:

tdetreasury.tdbank.com
cmoltp.bbt.com
cashmanageronline.bbt.com
.hsbcnet.com
ebc_ebc
blilk.com
bankeft.com
cmol.bbt.com
securentrycorp.zionsbank.com
tmcb.zionsbank.com
.web-access.com
nj00-wcm
commercial.bnc.ca
/clkccm/
paylinks.cunet.org
e-facts.org
accessonline.abnamro.com
...

Qakbot communicates with its command-and-control (C&C) infrastructure over HTTP(S) and uploads stolen data over FTP. We extracted the following C&Cs and FTP servers from this sample:

hxxps://mzvmmsedkr.biz/
hxxps://ewweorusgqoj.net/
hxxps://gdfqutzvshhgzheqksxj.biz/
hxxps://tsetndthrvsotsibqblhvkm.info/
hxxps://rkdxaovlaoltxnorwhtqo.com/

ftphost_1: 50.87.150.203
ftphost_2: 69.195.124.60
ftphost_3: 181.224.138.240
ftphost_4: 162.144.12.241

It is important to note that the FTP servers used here may be legitimate, but compromised servers.

 

Customer Protection

Forecepoint™ customers are protected against this threat via TRITON® ACE at the following stages of attack:

  • Stage 2 (Lure) - The malicious Javascript on the compromised website is detected and blocked.
  • Stage 3 (Redirect) - The malicious redirection URL is detected and blocked.
  • Stage 4 (Exploit Kit) - The RIG EK pages are identified and prevented from exploiting the user's browser.
  • Stage 6 (Backchannel Traffic) - Attempts by the malware to contact its command-and-control server are detected and blocked.

 

Summary

Exploit kit actors continue to look for popular websites to compromise in order to serve up malware, and in this instance the attackers have taken advantage of a perfect opportunity for compromising a public holidays website that is very popular at this time of year. The mere act of browsing to this website could result in significant financial and personal loss. Ensuring that your software is up to date will help to prevent these types of attacks from being able to execute malware on your system.

About the Author

NG

Nicholas Griffin

Security Researcher