Researchers with Cyphort Labs observed a number of forum websites
redirecting visitors to the Fiesta Exploit Kit, which in turn infected their
computers with malware as part of what appears to be a click fraud operation.
Among the compromised forum websites were diychatroom.com, excelforum.com,
dogforums.com, ps3news.com, wrestlingforum.com, e-cigarette-forum.com, and
horseforum.com.
Although the post notes that redirects to the Fiesta Exploit Kit were
observed on Monday and that the campaign was still ongoing as of Wednesday, the
attack now appears to be slowing down.
Fengmin Gong, co-founder and CSO of Cyphort, told SCMagazine.com in an
email correspondence that diychatroom.com was no longer distributing malware as
of Thursday morning, but that excelforum.com and others are still infected.
Gong – who indicated that Cyphort is working to notify the affected
websites – said that many of the forums are powered by either vBulletin or IP
Board.
“vBulletin has one component called vBSEO which has been reported to have a
serious vulnerability that allows remote injection of PHP code to the website,”
Gong said. “We suspect that such vulnerability exploit was a likely vector for
some of these forums. Although vBSEO has been discontinued, many sites
unfortunately are not well updated and patched.”
Visiting any of the infected forums on a machine running Windows could
result in the user being redirected to the Fiesta Exploit Kit, which was
observed exploiting vulnerability in Internet Explorer (CVE-2013-2551) and an
Adobe Flash vulnerability (CVE-2015-0313).
“No user interaction needed – this is a fully automated, drive-by
infection,” Gong said, going on to add, “There is “script src” tag planted on
the infected forum site main page, redirecting to [the] malicious site” and
that “the chain from the main site to the first redirect site was using a
hidden iframe.”
The payload involves three pieces of malware.
The first, Gamarue, can update itself and download other malware, and it
also disables certain security measures on the infected machine and avoids
virtualization environments such as VirtualBox, QEMU and VMware, Gong
explained.
FleerCivet is the primary malware used for click fraud, and it also checks
for and avoids virtualization environments, Gong said. Finally, Ruperk is a
backdoor that can be used to download additional malware, and attackers could
be using it to mine for digital currencies.
“We believe at this time, one of the main missions of this campaign is
click fraud, by the fact that it has a clear payload component (FleerCivet)
that injects itself into IE, Chrome, and FireFox processes, doing
multi-threaded browser sessions to visiting search URLs and hit stats URLs,”
Gong said. “Also it avoids any virtualization environments, meaning only wants
to run from individual home (forum) users, which is likely a tactic to avoid
click fraud detection.”
No comments:
Post a Comment