MissMalini Celebrity Site Awards Admedia Gate & Angler Exploit Kit during the Oscars
On 29/FEB/16 Forcepoint researchers saw that the popular entertainment news site missmalini[.]com was compromised and redirecting to a malicious web site. The timing coincides with awards ceremonies such as The Oscars, so users are likely to be searching for celebrity news. The infection chain we analysed resulted in our system being silently exploited by Angler Exploit Kit (EK). The Teslacrypt crypto-ransomware was then dropped and executed on our test machine. Forcepoint Security Labs notified the operators of the site once the compromise was confirmed and a draft of this report was provided. As of 09:49GMT 29/FEB/16, the compromise was still present.
Missmalini[.]com is a self described "Bollywood news, celebrity gossip, fashion trends, beauty tips and lifestyle updates!" website. It receives an estimated 7.2 million visitors per month according to SimilarWeb.
fig 1. SimilarWeb statistics for missmalini[.]com
fig 2. Injected code on missmalini[.]com
The website we saw loaded in the background was the following URL:
These URLs are known as "admedia" gates and previously used URL paths like "/admedia/" and "/megaadvertize/". The latest incarnation seems to be using "/hellomylittlepiggy/". These sites act as a traffic direction system (TDS), deciding whether or not to send the user on to further malicious sites or not. The decision is typically based on the user's IP address and browser user-agent. For example, Internet Explorer and previously unseen IP addresses are of interest, whereas Google Chrome and IPs seen before are not.
Angler Exploit Kit & Teslacrypt Ransomware
The admedia TDS we saw during our analysis redirected us to Angler EK. This is a very prevalent EK which we have blogged about on multiple occasions. During our analysis, Adobe Flash Player vulnerability CVE-2015-8651 was exploited by Angler. As a result, a malware known as Teslacrypt was dropped and executed on our system. The sample we were sent can be found on VirusTotal:
Teslacrypt is a crypto-ransomware that is similar to Locky and CryptoWall. It will encrypt documents found on the system and request a payment in order to get the files back. It will also continuously terminate any processes matching the following partial strings:
askmgr rocex egedi sconfi cmd
This means that the user cannot run Task Manager, Process Explorer, Regedit, System Configuration Utility (msconfig) or Command Prompt. This makes it very difficult for a standard user to terminate the malware and prevent it from encrypting the file system.
Angler EK shows no signs of relenting and is still very prevalent. Actors are aware of world events and continue to compromise websites of currently significant popularity. The use of crypto-ransomware also continues to persist, providing criminals with quick and easy financial gain.
Forcepoint™ customers are protected against this threat via TRITON® ACE at the following stages of attack:
- Stage 3 (Redirect) - The malicious redirect site (TDS) is detected and blocked.
- Stage 4 (Exploit Kit) - The Angler EK pages are identified and prevented from exploiting the user's browser.
- Stage 6 (Backchannel Traffic) - Attempts by Teslacrypt to contact its command-and-control servers are detected and blocked.
Indiciators of Compromise (IoCs)
Angler Exploit Kit
Blog contributors: Nick Griffin, Andy Settle