The popular airline travel site yatra[.]com is currently (01 Feb 2016) redirecting users to Angler Exploit Kit (EK) via a compromised advertising script. The millions of users per month browsing to the yatra[.]com homepage are currently exposed to being redirected to code that silently drops and executes malware in the background by exploiting one of the latest Flash Player vulnerabilities.

Compromised Site

The website yatra[.]com is a highly popular Indian travel search engine that is ranked 2,262 globally according to Alexa (4,219 according to SimilarWeb) and receives an estimated 7.5 million visitors per month.

fig 1. SimilarWeb stats for yatra[.]com

The site is using what appears to be a Revive advertizing server script from one of Yatra's other domains, yatrainc[.]com. Since at least January 29, and as of today (February 1) we are seeing this script injected with code that silently redirects users to the highly prevalent Angler EK.

fig 2. Compromised advertizing script hosted on banners.yatrainc[.]com

The full infection chain we analyzed on January 29 was as follows:

hxxp://yatra[.]com/

--> hxxp://banners.yatrainc[.]com/www/content/afr.php?zoneid=737&target=_blank&cb=1708201502 - (Compromised Revive ad server script)

--> hxxp://fersi[.]tk/shop.php?sid={redacted} - (Flash-based redirect)

--> hxxp://fersi.tk/hot.php?id={redacted} - (Second redirect to Angler EK)

--> hxxp://aimhy.rao1hu038z2[.]space/civis/search.php?keywords={redacted} - (Angler EK)

And the full infection chain we analyzed on February 1 was as follows:

hxxp://yatra[.]com/

--> hxxp://banners.yatrainc[.]com/www/content/afr.php?zoneid=737&target=_blank&cb=1708201502 - (Compromised Revive ad server script)

--> hxxp://demo.choxedanang[.]com/forex.php?sid={redacted} - (Flash-based redirect)

--> hxxp://demo.choxedanang[.]com/home.php?id={redacted} - (Second redirect to Angler EK)

--> hxxp://sup.emmiemiller[.]org/forums/viewforum.php?f={redacted} - (Angler EK)

Angler Exploit Kit & Bedep Payload

The infection chain we saw resulted in us being redirected to Angler EK, which proceeded to exploit our Flash Player version 20.0.0.228 by leveraging CVE-2015-8651. We blogged about this new exploit on January 27. The Flash Player exploit we analyzed in this particular attack on January 29 is available on VirusTotal.

The payload that this variant of Angler EK distributed was a malware known as Bedep, which was loaded in memory rather than being written to disk. Bedep generates its domains with a domain generation algorithm (DGA) - below are some of the most recent domains it has been using:

crtmzljcejozgp[.]com kfkyfbjsxnsicve50[.]com izganktshlyxryjn87[.]com ltntvidynijnjnvv9e[.]com bjatnppvspr9q[.]com debeypjqcbdoy[.]com terhunucaqhnmdzbie[.]com

Bedep's usual motive is click-fraud by generating illegitimate traffic to arbitrary web sites in order to generate financial revenue for the criminal operator behind it. However, it is also capable of downloading and executing additional malware. In this case we saw Bedep downloading a variant of the Vawtrak banking trojan. The Vawtrak sample we analyzed is available on VirusTotal.

Indicators Of Compromise

The following indicators of compromise are by no means an exhaustive list.

Malicious Redirects

fersi[.]tk demo.choxedanang[.]com

Angler Exploit Kit

aimhy.rao1hu038z2[.]space sup.emmiemiller[.]org

Bedep Command-and-Control

crtmzljcejozgp[.]com kfkyfbjsxnsicve50[.]com izganktshlyxryjn87[.]com ltntvidynijnjnvv9e[.]com bjatnppvspr9q[.]com debeypjqcbdoy[.]com terhunucaqhnmdzbie[.]com

Vawtrak Command-and-Control

atlasbeta[.]com dadry[.]com 93.170.104[.]20 91.200.14[.]110 46.161.1[.]105 5.187.2[.]19

Protection Statement

Forcepoint Special Investigations notified:

YATRA via email of the incident shortly after confirming the compromise.

Popular search engines of the compromise once YATRA had acknowledged receipt of the notification and

Badware clearing houses such as https://www.stopbadware.org/

Forecepoint™ customers are protected against this threat via TRITON® ACE at the following stages of attack:

Stage 2 (Lure) - The injected Flash object on the compromised website is detected and blocked.

Stage 3 (Redirect) - The malicious redirect to Angler EK is blocked in real-time.

Stage 4 (Exploit Kit) - The Angler EK pages are identified and prevented from exploiting the user's browser.

Stage 6 (Backchannel Traffic) - Attempts by both Bedep and Vawtrak to contact their command-and-control servers are detected and blocked.

Observations

This is yet another example of a site that is serving up malware because an associated site has been compromised. For those hosting and running large sites such as this, it is imperative that the integrity of the whole service is managed consistently and not just focused on the 'front door' site. Equally, it is absolutely crucial to keep up with the basics: ensuring that default credentials are removed and that software is kept updated and patched at all times. More broadly, having a process to handle these incidents when they happen, and they will, is critical to running large web sites such as this. Exercising these response processes before a real incident. Just like the fire-drills we are all now used to, this is a great way to identify systemic flaws before they are identified during the heat of a real incident.

Most important of all is that time is of the essence: high profile sites such as this one that have millions of visitors are magnets for the criminals. In this particular case, the criminals know they have the opportunity to compromise over quarter of a million visitors every day that the malware is still being served up by the site.

Summary

Criminals are continuing their efforts to maximize the potential number of victims. They are compromising scripts on hosts that are used by highly popular sites, without having to compromise the target site itself. These criminals are able to turn this traffic into financial revenue by installing click-fraud malware onto a victims' machines in order to generate traffic to URLs of their choosing. Alternatively, they may drop crypto ransomware or other dangerous malware onto the target machine as we have also seen recently.