Terror Exploit Kit via Malvertising campaign

Terror Exploit Kit (EK) is one of the newer EKs that came to the scene in early 2017 and was mentioned in our Winter 2017 quarterly EK roundup where it was mainly installing ccminer Bitcoin mining applications. Terror EK activity has been low throughout the year but we are starting to see an uptick in the activity delivered via malvertising campaigns in past two months. The graph below shows Terror EK activity for past two months. Figure 1: Terror EK activity between September 1 and October 23, 2017. The image below shows recent Terror EK cycles from this month. Figure 2: Terror Exploit Kit Cycles In this blog, we will look at the Terror EK flow and a few changes in the exploit kit that we observed in the recent campaign. Terror EK redirects are seen in the form of fake advertisement pop-ups; one such advertisement is shown below. Figure 3: Terror EK malvertisement website. The malvertising campaigns have themes like '20 minute fat loss', 'quit smoking' and 'science'. Few of the redirects were from Propeller Ads media network, through their onclkdsnet domain.     The initial JavaScript that gets served via a malicious advertisement page is obfuscated as seen below, Figure 4: Obfuscated JavaScript loaded by the malvertisement website. The deobfuscated version of this JavaScript is shown below. Figure 5:...
Read more

BESCOM users being redirected to RIG EK

BESCOM (Bangalore Electricity Supply Company Limited) is responsible for power distribution in eight districts of the Indian state Karnataka. The total area is roughly 15,900 square miles and serves a population of roughly 20 million people. Zscaler ThreatLabZ researchers recently discovered that malicious actors strategically placed malicious redirects on the bill payment page of the BESCOM portal. These redirects were active on 11 September 2017 and made the website unusable. We also observed redirects to the RIG exploit kit (EK) coming from bescomorg/en/paybill/, which was sending users to the RIG landing page URL, below: 188.225.8240/?NTU4NzYx&party=UDVXgiUfTfABgyYxZBggX8v37h0XQzkOYhp7X-..... Figure 1: RIG EK redirect hits from bescomorg/en/paybill/ Subsequent attempts to load bescomorg/en/paybill resulted in redirects to cryptocurrency scam sites and YouTube videos for cryptocurrency scams. The redirect occurs because of a meta refresh tag on the BESCOM page, which, in this instance, redirects users to http://btc100xrocks. Figure 2:  btc100xrocks redirect The second redirect we observed was to a YouTube video scam encouraging users to transfer their Bitcoins in order to multiply them. The redirect and the screenshot of the video can be seen below. Figure 3: Scam YouTube video redirect Figure 4: Scam YouTube video Overview of the RIG EK cycle at 188.225.8240 When we tested the RIG redirect we found that it was still...
Read more