On 29/FEB/16 Forcepoint researchers saw that the popular entertainment news site missmalini[.]com was compromised and redirecting to a malicious web site. The timing coincides with awards ceremonies such as The Oscars, so users are likely to be searching for celebrity news. The infection chain we analysed resulted in our system being silently exploited by Angler Exploit Kit (EK). The Teslacrypt crypto-ransomware was then dropped and executed on our test machine. Forcepoint Security Labs notified the operators of the site once the compromise was confirmed and a draft of this report was provided. As of 09:49GMT 29/FEB/16, the compromise was still present.

Compromised Website

Missmalini[.]com is a self described "Bollywood news, celebrity gossip, fashion trends, beauty tips and lifestyle updates!" website. It receives an estimated 7.2 million visitors per month according to SimilarWeb.

fig 1. SimilarWeb statistics for missmalini[.]com

The website has been injected with javascript that automatically and silently browses to a malicious web site in the background.

fig 2. Injected code on missmalini[.]com

The website we saw loaded in the background was the following URL:

hxxp://img.zolotcevasunya[.]info/hellomylittlepiggy/?jQggZWnTPJtMp=gAixEdSiFMHYhElxLcU&hFpNGfviJOZs=bykiLOqaYQlSmHRwhejyj&DOFHXpX=cIfohhrRpuYfb&XgqKFGCuXARWUVVxr=MZTGPvWCwmnqZEyQ&tZprAiulNaaCjek=VBXgafKYOYFDocwOfplos&SIIsYhpimaCf=DQGxuqwrGJ&KfqJfnObwOpo=YMgmmXsd&keyword=225f169e667efdc8475dc2b36c9f62b1

These URLs are known as "admedia" gates and previously used URL paths like "/admedia/" and "/megaadvertize/". The latest incarnation seems to be using "/hellomylittlepiggy/". These sites act as a traffic direction system (TDS), deciding whether or not to send the user on to further malicious sites or not. The decision is typically based on the user's IP address and browser user-agent. For example, Internet Explorer and previously unseen IP addresses are of interest, whereas Google Chrome and IPs seen before are not.

Angler Exploit Kit & Teslacrypt Ransomware

The admedia TDS we saw during our analysis redirected us to Angler EK. This is a very prevalent EK which we have blogged about on multiple occasions. During our analysis, Adobe Flash Player vulnerability CVE-2015-8651 was exploited by Angler. As a result, a malware known as Teslacrypt was dropped and executed on our system. The sample we were sent can be found on VirusTotal:

https://www.virustotal.com/en/file/920773395b02916f5a02d68d3b3d9b6873d025fba57c7e351c211a6314aba869/analysis/

Teslacrypt is a crypto-ransomware that is similar to Locky and CryptoWall. It will encrypt documents found on the system and request a payment in order to get the files back. It will also continuously terminate any processes matching the following partial strings:

askmgr rocex egedi sconfi cmd

This means that the user cannot run Task Manager, Process Explorer, Regedit, System Configuration Utility (msconfig) or Command Prompt. This makes it very difficult for a standard user to terminate the malware and prevent it from encrypting the file system.

Summary

Angler EK shows no signs of relenting and is still very prevalent. Actors are aware of world events and continue to compromise websites of currently significant popularity. The use of crypto-ransomware also continues to persist, providing criminals with quick and easy financial gain.

Protection Statement

Forcepoint™ customers are protected against this threat via TRITON® ACE at the following stages of attack:

Stage 2 (Lure) - The injected javascript on missmalini[.]com is identified and access to this site is blocked in real-time.

Stage 3 (Redirect) - The malicious redirect site (TDS) is detected and blocked.

The malicious redirect site (TDS) is detected and blocked. Stage 4 (Exploit Kit) - The Angler EK pages are identified and prevented from exploiting the user's browser.

The Angler EK pages are identified and prevented from exploiting the user's browser. Stage 6 (Backchannel Traffic) - Attempts by Teslacrypt to contact its command-and-control servers are detected and blocked.

Indiciators of Compromise (IoCs)

Compromised Website

missmalini[.]com

Malicious TDS

js.zolotcekatya[.]info

Angler Exploit Kit

les.foodallergy[.]life

Blog contributors: Nick Griffin, Andy Settle