Popular Site Leads To Angler EK & CVE-2015-8651 Flash Player Exploit

Forcepoint Security Labs™ identified this calendar week that a well known transport company’s website had been compromised.  We discovered that it was redirecting users to Angler Exploit Kit (EK).  Forcepoint informed the company who were quick to respond and accost the issue. Users browsing to the site were exposed to malware being silently dropped onto their system and executed in the background. When nosotros analyzed the infection we saw that users were being redirected to Angler EK which was and then exploiting CVE-2015-8651, affecting Adobe Flash Histrion versions up to 20.0.0.228 and xx.0.0.235.

Compromised Website

The website in question belongs to a transport company that is very popular in Europe, whose name we have redacted due to us assisting with on-going investigations. The website uses Joomla, which is no stranger to vulnerabilities and attacks in the wild, but nosotros exercise non know whether the website was compromised due to an attack on their Joomla installation or not.

fig i. Injected code on compromised website

The code injected into the website in this instance was a very large piece of obfuscated code, a snippet of which can be seen infig ane. The intention of the code was to redirect users to an exploit kit known as Angler EK, and nosotros run into this blazon of code injected into hundreds of websites on a daily basis. The actors behind the code sometimes redirect users to Neutrino EK for a few days every bit they did at the outset of January, only they almost always lead to Angler.

fig 2. Angler EK activity in January

The infection chain was every bit follows, simplified to but prove the pregnant requests in the chain:

Compromised site:
hxxp://world wide web.**redacted**.com/de/

–> Angler EK landing page:
hxxp://fbendservent-gratulabitur.brotherhoodmc[.]org/boards/index.php?

–> Angler EK Flash Exploit (CVE-2015-8651):
hxxp://fbendservent-gratulabitur.brotherhoodmc[.]org/like.jsf?

–> Angler EK CryptoWall four.0 payload:
hxxp://fbendservent-gratulabitur.brotherhoodmc[.]org/sometime.xhtm?

–> CryptoWall 4.0 control-and-command:
hxxp://yardstickglobal[.]in/Y37Jux.php?

Flash Player Exploit – CVE-2015-8651

fig 3. Angler EK requesting a SWF exploit

The Adobe Flash Player exploit used in this assault managed to leverage a very recent vulnerability, CVE-2015-8651 which Kafeine recently wrote about on his weblog. We managed to de-compile the exploit that nosotros were given by Angler EK, and identified the routine that triggers the vulnerability:

fig 4. Angler EK’s CVE-2015-8651 exploit trigger

Antiy Labs wrote a nice blog on how CVE-2015-8651 works, which is essentially an integer overflow vulnerability.

Angler EK is currently the only commercial exploit kit that is leveraging this vulnerability, while other EKs such as Neutrino, Nuclear and RIG are using exploits for older Wink vulnerabilities. Wink Player versions upwardly to and including 20.0.0.228 and twenty.0.0.235 are affected by CVE-2015-8651. Adobe patched the vulnerability from version 20.0.0.270 onwards.

The SHA1 of the sample we encountered is918efa4d30ad6018c7b7c7a66d701a3d122dfeac and nosotros have likewise uploaded the unpacked SWF to VirusTotal for other researchers to analyze.

CryptoWall four.0

In the infection chain that we analyzed, the CryptoWall 4.0 ransomware was downloaded and executed on our automobile. We volition not become into any details about CryptoWall iv.0 in this weblog, which has been thoroughly documented in recent months.

The command-and-control proxy servers that we obtained from the CryptoWall sample (6af2aa305bc7da913ece5a5c98b214f3dae63738) are listed beneath:

hxxp://premierdisneyvilla.com/QXeHOy.php hxxp://thebeautythesis.com/UaEigq.php hxxp://wallpapersau.net/igrHKY.php hxxp://neoad.de/NXy1mb.php hxxp://jlprotect.ca/_poxuV.php hxxp://dunwoodypress.com/DJHMXS.php hxxp://zolty.european union/bnFKET.php hxxp://behejbrno.com/MixtUZ.php hxxp://campaignforyoungamerica.org/LT3YRB.php hxxp://pc.all-to-all.com/Ryfq7Y.php hxxp://apexminerals.com.au/k8HqvL.php hxxp://macphoto.nl/7NBUqj.php hxxp://acie.edu.np/DFQvsZ.php hxxp://international.woptimo.com/YglxHK.php hxxp://t-firma-en.itech-websolutions.com/U2Ac7i.php hxxp://artistblip.com/QJ9HzW.php hxxp://villisplace.info/fJQ_3v.php hxxp://jogos.testeqi.com.br/4t1E7X.php hxxp://telecom-sa.com/azRXqt.php hxxp://dolphinworld.org/MaB54K.php hxxp://yardstickglobal.in/Y37Jux.php hxxp://noahwilbanks.com/PtXsO_.php hxxp://kskillsmobility.eu/ludO0_.php hxxp://liberal.com.mx/0My2EZ.php hxxp://itt-pushkino.org/D2BE6m.php hxxp://avazuinc.com/D04m5N.php hxxp://empiredigitalmarketing.com/09LihY.php hxxp://apptitudes.fr/eC2F1f.php hxxp://ifawindow.co.u.k./0w5MVI.php hxxp://calsalumni.iastate.edu.staging.sites.flyinghippo.com/ScXajM.php hxxp://grafitti-photo.com/IGHOYq.php hxxp://bem-bakery.com/HPINRS.php hxxp://dentiste-paris-twenty.fr/IhfweE.php hxxp://daddysground.cz/zTVoGb.php hxxp://hatha.it/6tnLEG.php hxxp://bulksmsdealer.com/vR3BEX.php hxxp://mangohills.net/RxIoCE.php hxxp://aspectdesigns.com.au/0rTVlG.php hxxp://acmm.org.au/idjFbx.php hxxp://emotionwerbung.de/389Tak.php hxxp://indonesiandomains.com/e9vsxj.php hxxp://myteaminspired.com/mzTOIv.php hxxp://monicasalvador.com.ar/btWiaQ.php hxxp://turbosol.asia/l7xydO.php hxxp://hand-fabricated.past/rQWftY.php hxxp://conseils-finance.com/kJsnUb.php hxxp://stevesyachtrepair.com/S8bJFl.php hxxp://morainecare.com/eQRvWp.php hxxp://taftee.in/JnGQ1s.php hxxp://larosa.com.au/8beYcC.php hxxp://itvsoft.asia/rRwKxj.php hxxp://jameswbos.com/v10aAJ.php hxxp://giaohang.org/lCs_PE.php hxxp://thebesttshirtsonline.com/CF9iM8.php hxxp://vancouverdispensarycoalition.ca/euqUb5.php hxxp://muel.altervista.org/z1ho2W.php hxxp://edlenimaging.com/be5AmR.php hxxp://goldenangels.com.tr/l4Fw8D.php hxxp://uzmankirala.com/KhVRbv.php hxxp://igotocd.com/rklVaO.php hxxp://dining-bar.com/BQ_Ln4.php hxxp://jadwalpialadunia.in/rG4Rdi.php hxxp://en.theolympiaschools.edu.vn/FCfXeB.php hxxp://ihadthat.com/1NEnbi.php hxxp://directoryassistanceamerica.com/XeBUDN.php hxxp://australianmotorinns.com/9ctKlH.php hxxp://event-travel.co.uk/3K6Psd.php hxxp://london-escorts-agency.org.united kingdom of great britain and northern ireland/fdnmyD.php hxxp://vinastudio.at/8TkXUJ.php hxxp://jjcampbell.com/1wK5Iy.php

Customer Protection

Forecepoint™ customers are protected against this threat via TRITON® ACE at the post-obit stages of attack:

  • Stage 2 (Lure) – The malicious Javascript on the compromised website is detected and blocked.
  • Phase iv (Exploit Kit) – The Angler EK pages are identified and prevented from exploiting the user’southward browser.
  • Stage six (Backchannel Traffic) – Attempts by the CryptoWall four.0 malware to contact its command-and-command server are detected and blocked in existent-time.

Observations – An Attack on One is an Assault on All

What is interesting to note is that the compromised site in question is the ‘forepart door’ to one of the services provided by a major European company.  Within the visitor portfolio are services in the areas of airlines, car hire, mass transit, Internet and fifty-fifty hotel and lettings.  As with similar organizations, these services are integrated at the marketing and customer communications level.  Receiving an email from the group on say mass transit will include references and links to their other services.  In this particular case, one of our researchers later identified the compromised site linked from a booking confirmation email for a different group member service.  This illustrates ii considerations:

  1. That it only takes one weak link to let those with malicious intent to potentially ‘reach out’ to the whole of the corporate customer base and

  2. When edifice client messaging material, extra rigor should exist considered when including links to other services both to external services just especially those ‘in-firm’. Don’t only be careful what you click on, be careful what you link to.

Summary

Angler EK continues to be one of the biggest threats to individuals and organizations effectually the globe. The adoption of one of the newest vulnerabilities in Adobe Flash Player, in conjunction with compromising high profile websites, guarantees that the criminals backside Angler EK accept a large surface area of potential victims. Information technology is important to go on upwards to appointment with software updates, especially for Adobe Flash Player which is often the weapon of choice for malware actors when it comes to finding vulnerabilities.

Source: https://www.forcepoint.com/blog/x-labs/popular-site-leads-angler-ek-cve-2015-8651-flash-player-exploit

Check Also

Will Dogecoin Go Up In Value

Will Dogecoin Go Up In Value

On Dec. 6, 2013, Billy Markus and Jackson Palmer decided to combine their dearest of …