Abuse of hidden “well-known” directory in HTTPS sites

WordPress and Joomla are among the most popular Content Management Systems (CMSs). They have also become popular for malicious actors, as cybercriminals target sites on these platforms for hacking and injecting malicious content. During the past few weeks, ThreatLabZ researchers have detected several WordPress and Joomla sites that were serving Shade and Troldesh ransomware, backdoors, redirectors, and a variety of phishing pages. The most well-known threats to CMS sites are the result of vulnerabilities introduced by plugins, themes, and extensions. In this blog, we are focusing on the Shade and Troldesh ransomware and phishing pages that we detected last month. Shade ransomware has been quite active in the wild and we have been seeing a lot of compromised WordPress and Joomla sites being used to spread the ransomware. The compromised WordPress sites we have seen are using versions 4.8.9 to 5.1.1 and they use SSL certificates issued by Automatic Certificate Management Environment (ACME)-driven certificate authorities, such as Let’s Encrypt, GlobalSign, cPanel, and DigiCert, among others. These compromised WordPress sites might have outdated CMS/plugins/themes or server-side software. Fig 1: Hits of Shade and phishing in detected CMS sites During the past month, our cloud blocked transactions for compromised WordPress and Joomla due to Shade ransomware (13.6 percent) and phishing (27.6 percent), with the remaining blocks due to coinminers, adware, and malicious redirectors. We have been monitoring the compromised HTTPS sites for a few weeks and have noticed that attackers are favoring a well-known hidden directory present on the HTTPS website for storing and distributing Shade ransomware and phishing pages. The hidden /.well-known/ directory in a website is a URI prefix for well-known locations defined by IETF and commonly used to demonstrate ownership of a domain. The administrators of HTTPS websites that use ACME to manage SSL certificates place a unique token inside the /.well-known/acme-challenge/ or /.well-known/pki-validation/ directories to show the certificate authority (CA) that they control the domain. The CA will send them specific code for an HTML page that must be located in this particular directory. The CA will then scan for this code to validate the domain. The attackers use these locations to hide malware and phishing pages from the administrators. The tactic is effective because this directory is already present on most HTTPS sites and is hidden, which increases the life of the malicious/phishing content on the compromised site. The different types of threats that we found under the hidden directory in the past month are shown in the below image. Fig 2: Threats in hidden directory Fig 3: Shade ransomware vs. phishing pages in the hidden directory   Case I: Shade/Troldesh ransomware under the hidden directory   The graph below shows the Shade/Troldesh ransomware under the hidden directory that we detected last month. Fig 4: Shade/Troldesh ransomware hits over one month In the case of Shade/Troldesh ransomware, every compromised site has three types of files: HTML, ZIP, and EXE (.jpg), as shown below. Fig 5: Shade in hidden SSL validation directory inst.htm and thn.htm are HTML files that redirect to download ZIP files. reso.zip, rolf.zip, and stroi-invest.zip are ZIP files that contain the JavaScript file. msg.jpg and msges.jpg are EXE files that are the Shade ransomware. Fig 6: Shade Infection chain Troldesh is typically spread by malspam with a ZIP attachment or a link to an HTML redirector page, which downloads the ZIP file. The malspam pretends to be an order update coming from a Russian organization. An example of an email that has the link of the HTML redirector is shown below. Fig: 7 Malspam mail   Fig 8: Redirector to download ZIP The ZIP file contains only the JavaScript file with a Russian name. The JavaScript is highly obfuscated and encrypted strings are decrypted at runtime by the below function. Fig 9: Decryption function After decryption, the JavaScript has the functionalities shown below. It tries to connect one of the two URLs, downloads the payload in %TEMP%, and executes it. Fig 10: Simplified JavaScript code The downloaded payload is the new variant of Shade/Troldesh ransomware, which has been around since 2014. It has two layers of packers: custom and UPX. After unpacking, it saves its configurations in “HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration”. Fig 11: Shade configuration xcnt = Count of encrypted files xi = ID of infected machine xpk = RSA public key for encryption xVersion = Version of current Shade ransomware The command-and-control (C&C) server is a4ad4ip2xzclh6fd[.]onion. It drops a TOR client in %TEMP% to connect to its C&C server. For each file, the file content and file name are encrypted with AES-256 in CBC mode with two different keys. After encryption, it changes the filename to BASE64(AES(file_name)).ID_of_infected_machine.crypted000007. Fig 12: Encrypted files It drops a copy of itself in %ProgramData%\Windows\csrss.exe and makes a run entry for this copy with the name “BurnAware.” It drops README1.txt to README10.txt on the desktop and changes the wallpaper as shown below. Fig 13: Shade wallpaper README.txt has ransom note in both Russian and English languages. Fig 14: Shade ransom note Fig 15: Zscaler sandbox report for Shade/Troldesh ransomware   Case II: Phishing pages under the hidden directory The graph below shows the different types of phishing pages under the hidden directory that we detected last month. Fig 16: Phishing hits over one month The phishing pages we have seen up to this point, which are hosted under SSL-validated hidden directories, are related to Office 365, Microsoft, DHL, Dropbox, Bank of America, Yahoo, Gmail, and others. Fig 17: OneDrive phishing page Fig 18: Yahoo phishing page Fig 19: DHL phishing page   IOCs: aioshipping[.]com/.well-known/acme-challenge/msg.jpg yourcurrencyrates[.]com/.well-known/pki-validation/mxr.pdf rangtrangxinh[.]vn/.well-known/acme-challenge/msg.jpg judge[.]education/.well-known/pki-validation/ssj.jpg hoadaklak[.]com/.well-known/acme-challenge/ssj.jpg nguyenlinh[.]vn/.well-known/acme-challenge/msg.jpg rdsis[.]in/.well-known/pki-validation/msg.jpg khanlanhdaklak[.]com/.well-known/acme-challenge/ssj.jpg presse[.]schmutzki.de:80/.well-known/acme-challenge/messg.jpg aioshipping[.]com:80/.well-known/acme-challenge/msg.jpg yourcurrencyrates[.]com:80/.well-known/pki-validation/mxr.pdf vinhomeshalongxanh[.]xyz:80/.well-known/pki-validation/ssj.jpg titusrealestate[.]com.fj:80/.well-known/pki-validation/msg.jpg dichvucong[.]vn:80/.well-known/acme-challenge/msg.jpg myphamnarguerite[.]com:80/.well-known/acme-challenge/mxr.pdf minifyurl[.]net:80/.well-known/pki-validation/mxr.pdf judge[.]education:80/.well-known/pki-validation/ssj.jpg minifyurl[.]net/.well-known/pki-validation/mxr.pdf neccotweethearts[.]com:80/.well-known/pki-validation/mxr.pdf backuptest[.]tomward.org.uk:80/.well-known/pki-validation/ssj.jpg mobshop[.]schmutzki.de:80/.well-known/acme-challenge/messg.jpg neccotweethearts[.]com/.well-known/pki-validation/mxr.pdf myphamnarguerite[.]com/.well-known/acme-challenge/mxr.pdf khanlanhdaklak[.]com:80/.well-known/acme-challenge/ssj.jpg presse[.]schmutzki.de/.well-known/acme-challenge/messg.jpg mobshop[.]schmutzki.de/.well-known/acme-challenge/messg.jpg globalkabar[.]com/.well-known/pki-validation/sserv.jpg ereservices[.]com:80/.well-known/pki-validation/ssj.jpg dulichvietlao[.]vn:80/.well-known/acme-challenge/ssj.jpg backuptest[.]tomward.org.uk/.well-known/pki-validation/ssj.jpg mamycloth[.]store:80/.well-known/acme-challenge/msg.jpg business[.]driverclub.co:80/.well-known/pki-validation/msg.jpg vinhomeshalongxanh[.]xyz/.well-known/pki-validation/ssj.jpg dichvucong[.]vn/.well-known/acme-challenge/msg.jpg thuducland[.]net/.well-known/acme-challenge/sserv.jpg sahabathasyim[.]com/.well-known/acme-challenge/sserv.jpg rangtrangxinh[.]vn:80/.well-known/acme-challenge/msg.jpg lovecookingshop[.]com:80/.well-known/pki-validation/ssj.jpg ereservices[.]com/.well-known/pki-validation/ssj.jpg hoadaklak[.]com:80/.well-known/acme-challenge/ssj.jpg ceroshop[.]net/.well-known/acme-challenge/nba1.jpg thuducland[.]net:80/.well-known/acme-challenge/sserv.jpg lovecookingshop[.]com/.well-known/pki-validation/ssj.jpg entrenadorpersonalterrassa[.]com.es:80/.well-known/acme-challenge/mxr.pdf epifaniacr[.]net:80/.well-known/pki-validation/ssj.jpg titusrealestate[.]com.fj/.well-known/pki-validation/msg.jpg globalkabar[.]com:80/.well-known/pki-validation/sserv.jpg sahabathasyim[.]com:80/.well-known/acme-challenge/sserv.jpg dulichvietlao[.]vn/.well-known/acme-challenge/ssj.jpg argfoodfest[.]e-zero.com.ar:80/.well-known/pki-validation/ssj.jpg aa[-]publisher.com:80/.well-known/mxr.pdf duandojiland[-]sapphire.com:80/.well-known/pki-validation/ssj.jpg master[-]of-bitcoin.net/.well-known/pki-validation/messg.jpg ea[-]no7.net/.well-known/pki-validation/messg.jpg tropictowersfiji[.]com/.well-known/pki-validation/msg.jpg test[.]digimarkting.com/.well-known/pki-validation/msges.jpg tebarameatsfiji[.]com/.well-known/pki-validation/msg.jpg sbs[.]ipeary.com/.well-known/pki-validation/msges.jpg sbs[.]ipeary.com/.well-known/pki-validation/msg.jpg samyaksolution[.]co.in/.well-known/pki-validation/msges.jpg samyaksolution[.]co.in/.well-known/pki-validation/msg.jpg rosyheartsfiji[.]com/.well-known/pki-validation/pik.zip needcareers[.]com/.well-known/pki-validation/msges.jpg natristhub[.]club/.well-known/pki-validation/msges.jpg natristhub[.]club/.well-known/pki-validation/msg.jpg mytripland[.]com:80/.well-known/pki-validation/sserv.jpg learning[.]ipeary.com/.well-known/pki-validation/msg.jpg ipeari[.]com/.well-known/pki-validation/msg.jpg diennangmattroi[.]com/.well-known/pki-validation/msges.jpg diennangmattroi[.]com/.well-known/pki-validation/msg.jpg alonhadat24h[.]vn/.well-known/acme-challenge/update_2018_02.browser-components.zip 24bizhub[.]com/.well-known/pki-validation/msges.jpg 24bizhub[.]com/.well-known/pki-validation/msg.jpg thinkmonochrome[.]co.uk/.well-known/acme-challenge/messg.jpg test[.]digimarkting.com/.well-known/pki-validation/msg.jpg needcareers[.]com/.well-known/pki-validation/msg.jpg hanggiadungduc[.]vn/.well-known/acme-challenge/reso.zip designitpro[.]net/.well-known/acme-challenge/msg.jpg zanatika[.]com:80/.well-known/acme-challenge/ssj.jpg vina[.]fun:80/.well-known/acme-challenge/ssj.jpg nexusdental[.]com.mx/.well-known/acme-challenge/ssj.jpg neccotweethearts[.]com:80/.well-known/pki-validation/ssj.jpg jayc[-]productions.com:80/.well-known/acme-challenge/ssj.jpg indochine[-]mekong.com:80/.well-known/acme-challenge/ssj.jpg hexamersolution[.]com/.well-known/acme-challenge/msg.jpg hexacode[.]lk:80/.well-known/acme-challenge/ssj.jpg dongha[.]city:80/.well-known/acme-challenge/ssj.jpg domika[.]vn/.well-known/acme-challenge/msg.jpg coupanadda[.]in:80/.well-known/pki-validation/ssj.jpg choviahe[.]cf:80/.well-known/acme-challenge/ssj.jpg brace[-]dd.com/.well-known/pki-validation/msg.jpg angkaprediksi[.]fun/.well-known/acme-challenge/msg.jpg advancitinc[.]com/.well-known/pki-validation/msg.jpg vodai[.]bid/.well-known/pki-validation/ssj.jpg thucphammena[.]com/.well-known/acme-challenge/ssj.jpg thefoodgram[.]com/.well-known/acme-challenge/tehnikol.zip thefoodgram[.]com/.well-known/acme-challenge/stroi-industr.zip shopkimhuyen[.]com/.well-known/acme-challenge/msg.jpg shine[.]bmt.city/.well-known/acme-challenge/ssj.jpg sbs[.]ipeary.com/.well-known/pki-validation/stroi-industr.zip needcareers[.]com/.well-known/pki-validation/tehnikol.zip needcareers[.]com/.well-known/pki-validation/stroi-industr.zip maithanhduong[.]com/.well-known/pki-validation/pik.zip luongynhiem[.]com/.well-known/pki-validation/gkpik.zip lichxuansaigon[.]com:80/.well-known/acme-challenge/ssj.jpg kinder[-]express.de/.well-known/acme-challenge/reso.zip khannen[.]com.vn/.well-known/acme-challenge/ssj.jpg jayc[-]productions.com/.well-known/acme-challenge/ssj.jpg jambanswers[.]org/.well-known/pki-validation/ssj.jpg intercontinentalglobalservice[.]com:80/.well-known/pki-validation/ssj.jpg gurusexpo[.]com.ng/.well-known/pki-validation/ssj.jpg gotrungtuan[.]online/.well-known/acme-challenge/ssj.jpg goindelivery[.]com/.well-known/pki-validation/major.zip fernandoherrera[.]me:80/.well-known/acme-challenge/ssj.jpg diennangmattroi[.]com/.well-known/pki-validation/stroi-industr.zip canhooceangate[.]com/.well-known/acme-challenge/sserv.jpg bramptonpharmacy[.]ca/.well-known/acme-challenge/msg.jpg bolt[-]fast.com/.well-known/pki-validation/gkpik.zip bmt[.]today/.well-known/acme-challenge/ssj.jpg blog[.]ponta-fukui.com/.well-known/pki-validation/pik.zip bhartivaish[.]com:80/.well-known/acme-challenge/ssj.jpg attireup[.]com/.well-known/acme-challenge/tehnikol.zip attireup[.]com/.well-known/acme-challenge/stroi-industr.zip acreationevents[.]com/.well-known/acme-challenge/msg.jpg yeu82[.]com/.well-known/acme-challenge/ssj.jpg yeu81[.]com/.well-known/acme-challenge/ssj.jpg yeu49[.]com/.well-known/acme-challenge/ssj.jpg yeu48[.]com/.well-known/acme-challenge/ssj.jpg vuacacao[.]com/.well-known/acme-challenge/ssj.jpg vision[-]ex.de/.well-known/acme-challenge/reso.zip vinaykhatri[.]in/.well-known/acme-challenge/ssj.jpg vinaykhatri[.]in/.well-known/acme-challenge/mxr.pdf variantmag[.]com/.well-known/acme-challenge/sserv.jpg valentinesblues[.]com/.well-known/pki-validation/sserv.jpg uyencometics[.]bmt.city/.well-known/acme-challenge/ssj.jpg tysonfury[.]rocks/.well-known/acme-challenge/msg.jpg tulipremodeling[.]com/.well-known/acme-challenge/sserv.jpg tropictowersfiji[.]com/.well-known/pki-validation/pik.zip thesaturnring[.]com/.well-known/acme-challenge/mxr.pdf theotokis[.]gr/.well-known/pki-validation/mxr.pdf thefashionelan[.]com/.well-known/pki-validation/msg.jpg tanione[.]com:80/.well-known/acme-challenge/ssj.jpg tanione[.]com/.well-known/acme-challenge/ssj.jpg steeveriano[.]com/.well-known/pki-validation/msg.jpg singleparentaustralia[.]com.au/.well-known/pki-validation/reso.zip shafercharacter[.]org/.well-known/acme-challenge/messg.jpg service[.]baynuri.net/.well-known/acme-challenge/messg.jpg samyaksolution[.]co.in/.well-known/pki-validation/rolf.zip realman[.]work/.well-known/acme-challenge/reso.zip rarejewelry[.]net/.well-known/acme-challenge/mxr.pdf rarejewelry[.]net/.well-known/acme-challenge/messg.jpg qsongchihotel[.]com/.well-known/acme-challenge/ssj.jpg panama[.]driverclub.co/.well-known/pki-validation/pic.zip ngheve[.]com/.well-known/acme-challenge/ssj.jpg nfc[.]com.vn/.well-known/acme-challenge/msg.jpg next[-]vision.ro/.well-known/pki-validation/ssj.jpg newsnaija[.]ng/.well-known/pki-validation/ssj.jpg newsnaija[.]ng/.well-known/pki-validation/mxr.pdf neelshivamlaw[.]com/.well-known/pki-validation/pic.inform.zip neccotweethearts[.]com/.well-known/pki-validation/ssj.jpg navegacaolacet[.]com.br/.well-known/acme-challenge/msg.jpg mytripland[.]com/.well-known/pki-validation/ssj.jpg myschoolmarket[.]com.ng/.well-known/acme-challenge/ssj.jpg mskhangroup[.]com/.well-known/pki-validation/pic.zip mskhangroup[.]com/.well-known/pki-validation/msg.jpg morganbits[.]com/.well-known/acme-challenge/mxr.pdf mo7o[.]fun:80/.well-known/acme-challenge/mxr.pdf mitsubishidn[.]com.vn/.well-known/acme-challenge/sserv.jpg meliscar[.]com:80/.well-known/pki-validation/ssj.jpg meliscar[.]com/.well-known/pki-validation/ssj.jpg manhattan[.]dangcaphoanggia.com/.well-known/acme-challenge/mxr.pdf maithanhduong[.]com/.well-known/pki-validation/msg.jpg lichxuansaigon[.]com/.well-known/acme-challenge/ssj.jpg lemon[-]remodeling.com/.well-known/acme-challenge/sserv.jpg lastra[.]top/.well-known/pki-validation/msg.jpg laflamme[-]heli.com/.well-known/acme-challenge/ssj.jpg laflamme[-]heli.com/.well-known/acme-challenge/sserv.jpg kousen[.]fire-navi.jp/.well-known/pki-validation/msg.jpg jambanswers[.]org/.well-known/pki-validation/vseros.bank.zakaz.docx.zip integramultimedia[.]com.mx/.well-known/acme-challenge/ssj.jpg incgoin[.]com/.well-known/pki-validation/reso.zip hexacode[.]lk/.well-known/acme-challenge/ssj.jpg happysungroup[.]de/.well-known/pki-validation/ssj.jpg goindelivery[.]com/.well-known/pki-validation/reso.zip goindelivery[.]com/.well-known/pki-validation/msg.jpg goindelivery[.]com/.well-known/pki-validation/kia.zip gnb[.]uz/.well-known/pki-validation/ssj.jpg geecee[.]co.za/.well-known/pki-validation/msg.jpg geecee[.]co.za/.well-known/pki-validation/kia.zip gdn[.]segera.live/.well-known/pki-validation/sserv.jpg fijidirectoryonline[.]com/.well-known/pki-validation/msg.jpg fastimmo[.]fr/.well-known/acme-challenge/sserv.jpg ereservices[.]com/.well-known/pki-validation/sserv.jpg ede[.]coffee/.well-known/acme-challenge/ssj.jpg dongydaisinhduong[.]com/.well-known/acme-challenge/messg.jpg diota[-]ar.com:80/.well-known/acme-challenge/mxr.pdf diota[-]ar.com/.well-known/acme-challenge/mxr.pdf diamondking[.]co/.well-known/pki-validation/sserv.jpg dev01[.]europeanexperts.com/.well-known/pki-validation/messg.jpg designitpro[.]net/.well-known/acme-challenge/reso.zip damuoigiasi[.]com/.well-known/acme-challenge/ssj.jpg dailynow[.]vn/.well-known/acme-challenge/msg.jpg choviahe[.]cf/.well-known/acme-challenge/ssj.jpg cellulosic[.]logicalatdemo.co.in/.well-known/pki-validation/ssj.jpg business[.]driverclub.co/.well-known/pki-validation/msg.jpg bhartivaish[.]com/.well-known/acme-challenge/sserv.jpg bcspremier[.]ru/promo/well-known/images/background_sm.jpg bcspremier[.]ru/promo/well-known/images/background_lg.jpg atiqah[.]my/.well-known/pki-validation/sserv.jpg aanarehabcenter[.]com:80/.well-known/pki-validation/ssj.jpg aanarehabcenter[.]com/.well-known/pki-validation/ssj.jpg 24bizhub[.]com/.well-known/pki-validation/tehnikol.zip 24bizhub[.]com/.well-known/pki-validation/stroi-industr.zip ipeari[.]com/.well-known/pki-validation/msg.jpg ipeari[.]com/.well-known/pki-validation/reso.zip ipeari[.]com/.well-known/pki-validation/stroi-industr.zip ipeari[.]com/.well-known/pki-validation/stroi-invest.zip ipeari[.]com/.well-known/pki-validation/tehnikol.zip learning[.]ipeary.com/.well-known/pki-validation/msg.jpg learning[.]ipeary.com/.well-known/pki-validation/reso.zip learning[.]ipeary.com/.well-known/pki-validation/stroi-industr.zip learning[.]ipeary.com/.well-known/pki-validation/stroi-invest.zip learning[.]ipeary.com/.well-known/pki-validation/tehnikol.zip test[.]digimarkting.com/.well-known/pki-validation/msg.jpg test[.]digimarkting.com/.well-known/pki-validation/reso.zip test[.]digimarkting.com/.well-known/pki-validation/stroi-industr.zip test[.]digimarkting.com/.well-known/pki-validation/stroi-invest.zip test[.]digimarkting.com/.well-known/pki-validation/tehnikol.zip SBS[.]ipeary.com/.well-known/pki-validation/msg.jpg SBS[.]ipeary.com/.well-known/pki-validation/reso.zip SBS[.]ipeary.com/.well-known/pki-validation/stroi-industr.zip SBS[.]ipeary.com/.well-known/pki-validation/stroi-invest.zip SBS[.]ipeary.com/.well-known/pki-validation/tehnikol.zip singleparentaustralia[.]com.au/.well-known/pki-validation/msg.jpg singleparentaustralia[.]com.au/.well-known/pki-validation/reso.zip natristhub[.]club/.well-known/pki-validation/msg.jpg natristhub[.]club/.well-known/pki-validation/reso.zip natristhub[.]club/.well-known/pki-validation/stroi-industr.zip natristhub[.]club/.well-known/pki-validation/stroi-invest.zip natristhub[.]club/.well-known/pki-validation/tehnikol.zip natristhub[.]club/.well-known/pki-validation/tehnikol1.zip    



*** This is a Security Bloggers Network syndicated blog from Research Blog authored by MSadique@zscaler.com. Read the original post at: https://www.zscaler.com/blogs/research/abuse-hidden-well-known-directory-https-sites