Compromised websites lead to drive-by-download attacks serving ransomware
In these attacks, the malicious payload is delivered to vulnerable systems using a popular technique known as drive-by-download. Essentially, compromised websites host the Magnitude exploit kit, a community name choosen for an Exploit Kit previously referred to as “Popads, which drops malware into the system using vulnerabilities found in the browser.
The following websites were found to redirect to malicious content:
- hymedoraw[dot]com/search[dot]php
- awerdeall[dot]com/search[dot]php
- index-html[dot]com/
- joomla-green[dot]com/
- bestcool-search[dot]com/
- joyo-search[dot]com/
- megas-search[dot]com/
- speeds-search[dot]com/
- sample-data[dot]com/
- lazy-summer[dot]com/
- tundra-search[dot]com/
- death-tostock[dot]com/
- adoncorst[dot]com/search[dot]php
- demo-content[dot]com/
- enable-bootstrap[dot]com/
- rospecoey[dot]com/search[dot]php
- aranfleds[dot]com
- adoncorst[dot]com/search[dot]php
- malpithia[dot]com/search[dot]php
- noutademn[dot]com/search[dot]php
The malvertising networks lead to redirector domains using “302 cushioning” i.e. displaying a 302 HTTP redirection warning, in order to avoid detection.
The “magnitude” of damage
Magnitude delivers a Flash and (highly obfuscated) JavaScript payload, exploiting the MS13-009 integer overflow vulnerability. After compromising the system, a shellcode is dumped which fetches a list of urls within it, which lead to ransomware. In this case, the first link led to CryptoWall 3.0, an updated version of a notorious ransomware family that has made headlines several times.
As stated by Zscalar:
“This is a highly profitable ransomware payload that leverages Bitcoin transactions executed over the Tor Anonymizer to monetize the attack, Threat Actors utilize this method of collection because it can’t be reliably traced back to the them. Victims are especially vulnerable to this type of extortion since very few people seem to backup their critical files such as documents and pictures.”
As with any ransomware attack, backups are a lifesaver here. We strongly recommend making regular backups of your data and running up to date malware protection to keep malvertising strikes at bay.
Emsisoft Enterprise Security + EDR
Robust and proven endpoint security solution for organizations of all sizes. Start free trialHave a nice (malware-free) day!