Below are three examples of compromised sites that I’ve found in the last couple of days:
As you can see from the code above, a Flash application is embedded within the page but it contains parameters to make it invisible to the user (setting the opacity property to 0 means that the Flash object takes space, but does not appear visually). It can also be tricky to spot in the source code as it is employing an IP address logging technique. That means the code won’t load a second time if the user has already visited the site (I’ve been using a proxy to avoid this). However, this makes it especially challenging for unsuspecting site owners to detect and remediate their site as their IPs have likely been flagged already.
Another interesting aspect of this injected script is that the source URL for the Flash redirector is dynamic and changes frequently. I’ve seen the source URL change multiple times in one day. What is consistent however is that the Flash files typically come from “exotic” ccTLDs like .tk, .ml, .ga, .ve, .mx, .ar, .br, and .ru but, as you can see in the pictures above, they can even come from gTLDs like .com. The DNS records from this week show what I’m talking about:
A little more background before we continue… The reason this campaign was originally named EITest is because the variable “id” shown in the injected script once contained the name EITest. As you can see from the three compromised sites I found this week, that is no longer the case. For instance, we have id = “mpjyzf” in the 1st picture, “vxzjip” in the 2nd, and “yuyco” in the 3rd.
While the id names might have changed, the operators are still using the exact same attack pattern as before. It starts with a hacked website, which at the moment seems to be a majority of outdated WordPress sites. Once access is obtained the threat actors are conditionally embedding the script at the bottom of the sites’ source page. Lastly you have the Flash redirector (gate), Flash exploit (Angler EK), and then the final payload (Ransomware, Bedep, etc).
Here we can see the structure of the .swf redirector:
De-compiling the file we can begin to see ActionScript code that has been obfuscated:
The FlashVars variables (from the embedded code in the compromised site) a and b are passed to the ActionScript code.
The ActionScript code is being used to force unwanted redirections, or in other words, contains an iframe. Further analysis shows that the Flash file is also acting as a filter to redirect traffic based on certain criteria.
Once a user visits the compromised site and is served the .swf redirector it is fed some script (window.self.location.replace) on the gate that loads the EK landing page:
Here is the HTTP request to the Angler EK landing page, followed by the response:
Finally the EK would serve up an exploit and then drop a payload.
If the infection chain above wasn’t clear here is a great summary of the steps used by the EITest campaign from Brad over at malware-traffic-analysis.net:
Step 1 – Compromised website with injected EITest script.
Step 2 – EITest script causes host to retrieve Flash file from EITest gate.
Step 3 – Flash file from EITest gate is used to generate HTTP GET request to Angler EK landing page.
Step 4 – Angler EK landing page has script that determines if the computer has any vulnerable applications.
Step 5 – Angler EK sends an exploit tailored to the vulnerable applications (For example, out-of-date versions of IE, Flash player, Silverlight).
Step 6 – The exploit, if successful, will cause Angler EK to send the payload and execute it as a background process
Step 7 – The host is infected by the malware payload sent by Angler EK.
IOCs:
Regex to find embedded redirection URLs: .php?(s|)id=[A-Z0-9]{50}
MD5 for Flash redirector: 596c8a11b03c2ef9d890f85c631ba5e8
Malware breakdown 