BESCOM users being redirected to RIG EK

BESCOM (Bangalore Electricity Supply Company Limited) is responsible for power distribution in eight districts of the Indian state Karnataka. The total area is roughly 15,900 square miles and serves a population of roughly 20 million people.

Zscaler ThreatLabZ researchers recently discovered that malicious actors strategically placed malicious redirects on the bill payment page of the BESCOM portal. These redirects were active on 11 September 2017 and made the website unusable.

We also observed redirects to the RIG exploit kit (EK) coming from bescom[.]org/en/paybill/, which was sending users to the RIG landing page URL, below:

188.225.82[.]40/?NTU4NzYx&party=UDVXgiUfTfABgyYxZBggX8v37h0XQzkOYhp7X-…..

Figure 1: RIG EK redirect hits from bescom[.]org/en/paybill/

Subsequent attempts to load bescom[.]org/en/paybill resulted in redirects to cryptocurrency scam sites and YouTube videos for cryptocurrency scams.

The redirect occurs because of a meta refresh tag on the BESCOM page, which, in this instance, redirects users to http://btc100x[.]rocks.

Figure 2:  btc100x[.]rocks redirect

The second redirect we observed was to a YouTube video scam encouraging users to transfer their Bitcoins in order to multiply them. The redirect and the screenshot of the video can be seen below.

Figure 3: Scam YouTube video redirect

Figure 4: Scam YouTube video

Overview of the RIG EK cycle at 188.225.82[.]40

When we tested the RIG redirect we found that it was still active.

Figure 5: Capture of RIG cycle from the redirected IP

The obfuscated JavaScript can be seen below.

Figure 6: Obfuscated JavaScript on the RIG EK landing page

This redirect leads to a download of a Flash file which fingerprints the system to determine whether it is vulnerable. A snippet of decompiled Flash is shown in the following image.

Figure 7: Decompiled Flash file

The payload that was downloaded is shown below.

Figure 8: Malware payload download attempt

The payload fails during execution and throws an error message.

Figure 9: Failed malware execution

Indicators of compromise (IoCs):

IP Address: 188.225.82[.]40

                       188.225.82[.]43

Conclusion

Zscaler ThreatLabZ notified BESCOM of the compromise on September 11, 2017, and, while we did not receive any response, it appears that the company was quick to remediate the issue. Zscaler ThreatLabZ is actively monitoring this campaign to ensure protection for Zscaler customers.

*** This is a Security Bloggers Network syndicated blog from Research Blog authored by RHegde@zscaler.com. Read the original post at: https://www.zscaler.com/blogs/research/bescom-users-being-redirected-rig-ek