Exploit kits have been a recurring threat that we've discussed here on this blog as a method of driving users to maliciousness. Users typically encounter exploit kit landing pages through compromised websites and malvertising. However, we've found a new email twist to the standard procedures associated with getting users into the exploit kit infection chain.
Usually when we see compromised websites serving exploit kit gates there are malicious iframes dropped on single pages or throughout the entire site. These iframes can either be links to an exploit kit landing page directly or to a gate. Using a gate allows the adversary to change the location of the landing page without having to change the compromised wordpress site. In the spam campaign that we detected and blocked, adversaries were instead linking users to "hidden" web pages (pages located within the site's directory structure) on these sites instead of linking users to pages containing an iframe.
|Sample Spam Message|
ProcessWe are always looking at exploit kit behavior to find the techniques the adversaries are using to determine if there are ways we can detect and block it. While doing this research yesterday we noticed something a little odd. We were looking at Angler infection runs and stumbled across what looked like a new gate.
It isn't uncommon to see redirection to Angler from compromised wordpress sites, but it's usually not using its own sub page. The normal behavior is for iframes to be dropped in to random pages on the website. The reason you use the iframes embedded in pages is to ensure that users actually browse the page. This technique pointed to users being driven to the specific URL via other means.
We began digging around in various data sources and found something surprising: spam redirection. While searching we stumbled on a link to the URL being presented via an email message, a sample of which is show above.
The basic structure of the message begins with a "Thank you for your order" and asks you to visit a site to get the details. The campaign itself only lasted a couple of hours and used a wide variety of company names including well known sites such as Amazon, AT&T, Comcast, and General Electric, as well as a mix of a bunch of lesser known or non-existent companies. We found a total of ~900 different companies used in the campaign, all of which are listed in the IOC section.
The link was actually to a series of compromised wordpress sites. Using different folder structure but all of them ending in /order/order_details.html. There were a total of 22 different wordpress sites leveraged to host the activity, a full list of which are found below:
InfectionIf the user does click the URL and goes to the page they are greeted with a gif presenting a "Please wait…" spinner animation to the user.
Here is how the infection actually occurs. When the user clicks the link from the email above they are presented with the following code:
Angler Proxy Server:
Subject: Your Online Order was Successfully Submitted. Thank You!
ConclusionExploit Kits are compromising users in alarming numbers and their reach continues to grow. First, it was compromised websites and malicious ads. Now it's a combination of spam emails with compromised WordPress sites being used as a gate into the malicious activity. Exploit kit users and authors are going to continue to push the envelope and evolve to compromise as many users as possible. With ransomware being a major way of generating revenue, the competition to compromise vulnerable users is going to continue to increase. That's why we pay attention to these threats, release IOCs, and develop protections not only for our user base but the community in general.
As long as adversaries are compromising users via exploit kits, we will remain diligent in finding the activity and stopping it in as many different ways as possible.
Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.
CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.
The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.
ESA can block malicious emails sent by threat actors as part of their campaign.