Go Back   SZONE.US Forums > Do it yourself (DIY) > Web Tips > Web Findings

Web Findings Here you will find information about the internet.

Popular Indonesian Tech News Site Serves Up a Side of Malware

Views:2794
Reply
Thread Tools Search this Thread Rate Thread
  #1  
Unread 11.04.15, 09:54 AM
Zachariah Boren's Avatar
Zachariah Boren Zachariah Boren is offline
Administrator
 
Join Date: 02.07
Location: Canoga Park, CA
Posts: 928
Blog Entries: 6
Images: 10075
Send a message via ICQ to Zachariah Boren Send a message via MSN to Zachariah Boren Send a message via twitter to Zachariah Boren
Popular Indonesian Tech News Site Serves Up a Side of Malware

11.03.15 10:39 PM

Raytheon | Websense® Security Labs™ researchers have identified a recent malvertising campaign affecting a popular Indonesian technology news site, Tabloid Pulsa. Users browsing to this site are being redirected to an exploit kit and served up malware, due to a compromised advertising script that is being used by the site.



Raytheon | Websense customers are protected against this threat via real-time analytics with ACE, the Websense Advanced Classification Engine.



Compromised Website

The compromised website in question is tabloidpulsa[.]co[.]id, a popular Indonesian site that has close to 1 million hits per month according to SimilarWeb. The website is using a Revive Adserver script which has been compromised, and this is not the first time we've seen these scripts compromised. The script has been modified to insert an iFrame that leads to another malicious site, which then redirects to Nuclear Exploit Kit.





The compromised advertising script is hosted on a third-party website, ox[.]indomediagroup[.]com and is used by at least 2 other popular Indonesian sites, meaning that users browsing to those sites may also be affected.



Here is the full infection chain:



tabloidpulsa[.]co[.]id
--> ox[.]indomediagroup[.]com/www/delivery/afr.php?zoneid=83&cb=INSERT_RANDOM_NUMBER_HERE&ct0 =INSERT_CLICKURL_HERE
- Compromised Revive Ad Server script
--> rectangle[.]radionasarijecchicago[.]com/fxxnem4.html- Malicious redirect
--> hofawubv[.]mine[.]nu/forum/index.php?showtopic=420 - Nuclear Exploit Kit



Malware Payload

When we analyzed the infection chain for this attack on November 3, Nuclear Exploit Kit decided to exploit our outdated version of Adobe Flash Player with vulnerability CVE-2015-5122 (VirusTotal), and then dropped what seems to be a new variant of the Ursnif malware:



https://www.virustotal.com/en/file/5...9d54/analysis/



This Ursnif variant uses the following command and controls (C&C) over HTTP:



rastobona[.]com
artefaki[.]com
spamhausanilingus[.]ru
gazivitaton[.]ru




And the following C&C over UDP port 9772:



95[.]215[.]110[.]147



Ursnif is capable of intercepting, modifying, and exfiltrating traffic from browsers such as Internet Explorer, Chrome, and FireFox, as well as providing a general purpose backdoor into the user's system.



Summary

Malvertising remains as popular as ever when it comes to a cybercriminal's weapon of choice for web-based exploits, and compromising advertising scripts can open up a large surface area of potential victims. It is important for a business to consider which third-party scripts they decide to use, in order to minimize their security risk. Raytheon | Websense will continue to monitor this malvertising campaign and associated malware.







http://community.websense.com/blogs/...f-malware.aspx
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Rate This Thread
Rate This Thread:



All times are GMT -8. The time now is 08:26 AM.


Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright 2007 - 20017 SZONE.US All rights reserved