Public Holidays Website Leads to RIG EK & Drive-by Download of Qakbot Malware
It is the beginning of 2016. Most of us will be building our calendars around the year's public holidays. Many of us would of course use Google search to find these dates. But browsers beware, because one of the top results may result having your credentials and monies stolen by malware. The website in question: officeholidays[.]com, has been compromised and leads users to RIG exploit kit (EK).
If you were to search for the term "public holidays" on Google UK then the website officeholidays[.]com would currently appear to you in the top three results. This site currently has an estimated 1 million visitors per month according to SimilarWeb.
However, this site has been compromised and visitors are being silently redirected to malicious content that will drop malware onto their machines. During our analysis we saw the following malicious traffic occurring:
Ultimately, we were silently redirected to an exploit kit called RIG. This attempts to find and exploit vulnerabilities on our system in order to execute malware.
RIG Exploit Kit & Qakbot Payload
RIG EK was able to successfully exploit a vulnerability (CVE-2015-5122) in our Adobe Flash Player version 184.108.40.206. Interestingly though, we found that RIG EK would not successfully exploit some newer Flash Player versions such as 220.127.116.11, despite other exploit kits such as Angler being able to do so.
After successful exploitation a malware payload was downloaded from the RIG EK server. RIG is known to use a simple XOR on the payload and in this instance the XOR key was "vwMKCwwA".
The resulting malware was Qakbot (SHA1:8f01932de5c565fa6d559998cc1938ac5f23c264), which is a multi-capable credential theft trojan that steals passwords, certificates, cookies, browser traffic and anything it can get its hands on. It has plenty of anti-VM capabilities as an attempt to prevent auto-analysis tools from executing the malicious code, as well as being able to spread to network shares and removable drives.
Qakbot will capture browser traffic to and from banking websites if they match on pre-defined URL patterns, such as those in the following snippet that we extracted during our analysis:
tdetreasury.tdbank.com cmoltp.bbt.com cashmanageronline.bbt.com .hsbcnet.com ebc_ebc blilk.com bankeft.com cmol.bbt.com securentrycorp.zionsbank.com tmcb.zionsbank.com .web-access.com nj00-wcm commercial.bnc.ca /clkccm/ paylinks.cunet.org e-facts.org accessonline.abnamro.com ...
Qakbot communicates with its command-and-control (C&C) infrastructure over HTTP(S) and uploads stolen data over FTP. We extracted the following C&Cs and FTP servers from this sample:
hxxps://mzvmmsedkr.biz/ hxxps://ewweorusgqoj.net/ hxxps://gdfqutzvshhgzheqksxj.biz/ hxxps://tsetndthrvsotsibqblhvkm.info/ hxxps://rkdxaovlaoltxnorwhtqo.com/ ftphost_1: 18.104.22.168 ftphost_2: 22.214.171.124 ftphost_3: 126.96.36.199 ftphost_4: 188.8.131.52
It is important to note that the FTP servers used here may be legitimate, but compromised servers.
Forecepoint™ customers are protected against this threat via TRITON® ACE at the following stages of attack:
- Stage 3 (Redirect) - The malicious redirection URL is detected and blocked.
- Stage 4 (Exploit Kit) - The RIG EK pages are identified and prevented from exploiting the user's browser.
- Stage 6 (Backchannel Traffic) - Attempts by the malware to contact its command-and-control server are detected and blocked.
Exploit kit actors continue to look for popular websites to compromise in order to serve up malware, and in this instance the attackers have taken advantage of a perfect opportunity for compromising a public holidays website that is very popular at this time of year. The mere act of browsing to this website could result in significant financial and personal loss. Ensuring that your software is up to date will help to prevent these types of attacks from being able to execute malware on your system.