RIG Exploit Kit in attack - infected Polish websites participate in drive-by download attacks

Discovery made by the Polish company Exatel specializing in the provision of comprehensive services in the field of telecommunications and ICT security, perfectly fits in our latest test, which applies to protection against drive-by download attacks . According to the authors of the published analysis of the investigation, over 1,000 Polish websites infected computers visiting users with malware, including one of the forums of users of a known antivirus program! According to the Security Operations Center (SOC), who carried out an analysis of all incidents, this is one of the largest attacks on Internet users in Poland.

Waterhole tactics - features in common with the attack on the Polish Financial Supervision Authority

It all started with the detection of a foreign, polymorphic code fragment, which was located on the Polish website, which the customer has come across from his internal network monitored by Exatel's probes. As it turned out, the discredited web page was a large portal devoted to Polish contemporary history, and this code fragment redirected visitors to the infected site containing the web-application for automatic attacks - RIG Exploit Kit.

RIG Exploit Kit is one of many varieties of specialized cybercriminal tools. Last year, after the collapse of a similar popular platform - Angler Exploit Kit - it was the Rig Exploit Kit that became the number "1" in the cybercriminal world. Currently, RIG EK has two variants: RIG-V and RIG-E. For more information on the Exploit Kit we give in the test for protection against drive-by download attacks .

Page, so-called landing page, the target site from which the attack was made, was in the domain free.witchcraftbrand.com. The following code fragment shows the attached, polymorphic JavaScript code to the infected site:

The code (PHP / ASP.NET / JSP) placed by the attackers on the seized server injects the JS script with the original page content for each newly visited victim website (victim of the IP address from which the waterhole maker has not yet registered).

After several weeks of investigation, specialists from the Exactel security center found that the attack control server is located - we quote - "outside central and western Europe", and the analysis of hundreds of thousands of incidents from probes located in customer networks has identified exactly 1041 pages serving malware. Among them were:

  • portal with job offers,
  • some publishing site,
  • the website of the company that organizes the conference,
  • page in the GOV domain,
  • commune and county pages,
  • domains and subdomains of 7 universities,
  • parties to sports events: marathons, triathlons and the international tennis tournament,
  • the Member's website to the Sejm of the Republic of Poland,
  • law firm websites,
  • companies designing elements of industrial automation systems (SCADA),
  • primary schools, kindergartens, high schools, vocational schools,
  • ZHP troops,
  • pages of religious congregations,
  • foundations and charities,
  • Hotels, hostels and resorts,
  • medical care clinics,
  • companies designing websites and providing IT services for companies,
  • SMS gateway,
  • social forums (including a forum for users of a known antivirus program) - interesting to know about?

This malicious campaign using the RIG Exploit Kit has a lot to do with an attack on the website of the Polish Financial Supervision Authority :

- The attack procedure is almost identical to the one used during the campaign targeted at the clients of the Polish Financial Supervision Authority.

- As a result of a malicious redirection, the downloaded content is another Javascript code (the second phase of the attack) and a SWF file (Flash), which purpose is to identify the target being attacked (browser version, Flash plugin).

- It was observed that cybercriminals used one of the two variants of the described exploit kit - RIG-V.

- As a result of exploiting exploits (CVE-2016-0189 and CVE-2014- 6332 for vulnerabilities in Internet Explorer browsers (IE9, 10 and 11) and exploits: CVE-2015-8651 and CVE-2015-5122 for vulnerabilities in Flash versions below computers are infected with Mole ransomware ( CERT Polska has developed a dekryptor ), later also Cerber ransomware (with free.7gentlebreeze.com).

- Depending on the victim's location, the final malware could belong to a different type of campaign, eg Polish users were always attacked by ransomware, but after testing using VPN (to change the location of computers on the US), the campaign involved extorting money (ZeuS malware ) through a telephone scam whose purpose is to make the user feel that his computer has been infected with the Zeus virus and has become part of a botnet. As we read in the report:

Seeking to be the Microsoft Security Department and imitating the computer lock, the attacker tries to force the user to make a phone call to the alleged Microsoft service office to remove the blockade - in fact, the victim can pay dearly for making this phone.

Attacks drive-by download

We used the attack described above to check the protection of 44 antivirus solutions . Using Metasploit, an exploit for Firefox, a Powershell interpreter and a few undetectable malware, we've found that most popular security software can not handle similar situations. Moving away from technical issues - for more details refer to our test - the user must realize that when dealing with a drive-by download attack, he will not be encouraged to run the downloaded file - as it usually happens with malicious attachments in e-mail messages . Automatic download and launch of a virus that carries a payload occurs when you open a web page containing a set of exploits. So, just visit the malicious website (previously hacked and containing redirection) to become the victim of the attack. Only from the current demand of cybercriminals depends on whether the user's computer will be infected with a virus that encrypts files, a banking Trojan, spyware or other malicious files for digging the cryptocurrency.

Schema of drive-by download attacks.

For effective defense against this type of unauthorized intrusion into the system is not enough alone Windows Defender. For some reason this antivirus - which we do not recommend - is praised by people who have little in common with practical safety. Why? We do not know that. We know one thing - Windows Defender contains only basic protection, and it is not enough to effectively protect users from drive-by downloads.

In the context of these attacks, the most effective good practices include:

- Having current browsers and plugins. Whether or not the attack succeeds depends on the exploits that are built into the specific Exploit Kit. Sometimes these tools contain vulnerabilities for old software such as IE 11, 10, 9 or Adobe Flash Player. Unfortunately, but Exploit Kits may contain 0-day exploits. This means that vulnerabilities at the time of the attack may still be unknown to browser manufacturers, so without proper protection inside the network, the user is at the mercy of the aggressors.

- Antivirus must have comprehensive protection: starting from an active web page scanner (many attacks can be avoided), through a reputable class anti-virus scanner with a built-in anti-exploit module, firewall with IDS / IPS functions. All these features have the following solutions: Bitdefender , Symantec , Quick Heal and in part: Arcabit , Kaspersky Lab and Eset . In a word, for protection we recommend solutions that have obtained the BEST +++ certificate in our test. In terms of solutions for companies, we recommend business versions of "home counterparts" that have won BEST +++ or dedicated solutions to defend against APT attacks.

- An additional protective barrier is the use of software that allows running trusted applications or blocking programs from specific locations. Such control is offered by: SecureAPlus and SpyShelter . Thanks to this, running of viruses that are saved in temporary locations, eg% TEMP%, will not be possible. It is also highly recommended to completely disable PowerShell and the wscript.exe application, which allows you to run VBScript scripts (99% of JavaScript-based downloaders).

As the authors of the report write:

We found - it might seem - an ideal method for identifying waterhole networks in the Polish Internet. All you had to do was enter the mechanism for detecting time diversity in the responses of web servers depending on two different values of the UserAgent field: containing the word "MSIE" and empty.

It is also a valuable hint for security software providers.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.