Researchers report Angler Exploit Kit attacks have become more brazen and are now targeting top websites with new tricks that can evade browser-based antimalware protection.
Karl Sigler, a SpiderLabs researcher at Trustwave, told Threatpost his lab found the Angler Exploit Kit on a popular website for the second time in a week, exposing just under million visitors monthly to possible TeslaCrypt ransomware infections. Sigler said Trustwave researchers spotted the exploit on Extendoffice[.]com, a site that sells software for customizing Microsoft Office software applications.
A number of things stuck out as unique about this iteration of Angler Exploit Kit, according to Trustwave. One was the fact that attackers were targeting a destination site as opposed to a random webpage that had traffic driven to it via phishing attacks, Sigler said. According to site analysis tool Compete.com, Extendoffice attracted 963,000 unique visitors in January.
“That many not seem like a lot of traffic for a website, but for a watering-hole attack, they hit the jackpot,” Sigler said.
The site Extendoffice appears to be owned by China-based Addin Technology and did not reply to Threatpost’s requests for comment. Sigler said, Trustwave also notified the site’s owner and its hosting company, alerting both to the vulnerability last week. He said the site was still attempting to distribute the Angler Exploit Kit as of Thursday. He said Trustwave received an email Friday from the site’s domain hosting firm claiming the vulnerability has been patched. Trustwave said it hasn’t verified that claim yet.
An outdated version of the content management system Joomla (version 3.4.3) was likely to blame for the vulnerability. Sigler said that in December Joomla released version 3.4.6 of its software that plugged a known object injection remote command execution vulnerability in the version 3.4.3.
Threatpost reported last week the SANS Institute’s Internet Storm Center has noticed that exploit kits are now targeting Joomla sites.
“It’s an unfortunate case where a fairly popular website was redirecting its visitors to the Angler Exploit Kit,” Sigler said. If successful, attackers dropped the TeslaCrypt ransomware on the victim machine, he said.
Another interesting aspect of this version of Angler was the way the kit was being distributed and its ability to avoid detection by browsers such as Firefox that use the JavaScript engine SpiderMonkey. SpiderMonkey has the capability to detect and report instances of malware.
Sigler explains that because Angler exclusively targets Microsoft’s Internet Explorer web browsers, the attackers didn’t want to risk being discovered or lose any “valuable” traffic to Firefox or Google’s Chrome browser traffic.
“We found some interesting tricks in the (JavaScript) deobfuscated code which were likely used in order to deceive and bypass security scanning engines,” wrote Rami Kogan in Trustwave blog outlining the discovery.
According Trustwave research, the attackers were able to inject JavaScript code onto the Extendoffice site that would be executed differently based on what browser a visitor was using.
“Running this line of code on IE returns the number 0 (zero) which is later used as a counter in a deobfuscation loop. Running the same line of code on Firerfox, however, returns NaN (Not a Number)- which basically breaks the flow of the code,” Kogan wrote. Using this method attackers managed to execute a string of code and bypass the JavaScript evaluation (eval) step, according to Kogan.
This method of obfuscation is so effective, Sigler said, that it is able to sneak past most of the 67 private scanning engines behind Google’s VirusTotal, a free service that analyzes URLs red flags malicious content detected by antivirus engines and website scanners.
February has been a busy month for the Angler Exploit Kit. Along with targeting small sites such as Extendoffice this month, the exploit also targeted Skype users via malicious ads and is now targeting vulnerabilities in Microsoft’s Silverlight.