Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Angler Exploit Kit – Gunning For the Top Spot

They say that with great power comes great responsibility. In the world of websites the more popular your website is the greater your responsibility, and being responsible means, amongst other things, keeping your systems up-to-date.

We've recently come across an unfortunate case where a fairly popular website was redirecting its visitors to the Angler Exploit Kit which, upon successful exploitation, dropped the TeslaCrypt ransomware on the victim machine.

This blog post should serve as a reminder for all of the web admins to keep their web applications up-to-date, as well as a cautionary tale of what might otherwise happen, told through the story of www.extendoffice[.]com.

"extendoffice" sells add-ins to Microsoft office and it also provides "Tips and Tricks" for Microsoft Office users. It is ranked in Alexa's top 10,000 globally, and approximately rank 5,500 in the US. These numbers may not sound impressive, but considering the millions of websites out there in the world, any site with those kind of rankings is likely getting over a million visitors per month; in the world of exploit kits that is a lot of traffic.

Our tale begins a few days ago, as we were going about our daily work looking into telemetry data from our products. We noticed the redirection of visitors from the "extendoffice" site to the Angler Exploit Kit. With Malicious advertising being popular as it is in the world of exploit kits, such a sight isn't entirely unheard of, but upon further investigation we saw that this behavior goes back as far as February 6th and decided to investigate further.

Browsing to the homepage of "extendoffice" shows an error message at the top of the page, which always raises suspicion to a security researcher:

11406_b71ec8c6-667a-4a0f-b704-09f90fc70cc1

Figure 1: Home page of extendoffice

According to the error message it's easy to see that it is a Joomla-based site, further checking reveals that it is using Joomla version 3.4.3:

11398_b6db57e2-d205-4568-946a-67a59bdc8174

Figure 2: Joomla version 3.4.3

Unfortunately, this version is vulnerable to CVE-2015-8562 "Object Injection Remote Command Execution" - a vulnerability that was exploited in the wild as a 0day before it was patched on Dec 2015 with the release of version 3.4.6 of Joomla. We believe that the cyber criminals behind the attack used this vulnerability to upload a malicious script to extendoffice's web server, which then injected obfuscated JavaScript code to every web page displayed to visitors:

BSL_11386_b6519200-070e-4ea8-8aa3-fb2ad2ac4b21

Figure 3: Injected script

De-obfuscating the script reveals another layer of obfuscated JavaScript code with two interesting parts:

10715_95f800f9-efcc-45aa-9ec5-852cef388667

Figure 4: First level of Deobfuscation

It's no secret that cyber criminals and the security community are playing an endless game of cat and mouse, this time we found some interesting tricks in the deobfuscated code which were likely used in order to deceive and bypass security scanning engines:

  1. stkvphvshha = (+[window.sidebar]);

    Running this line of code on IE returns the number 0 (zero) which is later used as a counter in a deobfuscation loop. Running the same line of code on Firerfox, however, returns NaN (Not a Number)- which basically breaks the flow of the code. We believe that by choosing this "sophisticated" method to assign the number 0 to a variable, the authors of this code aimed to bypass security scanners which use Firefox's JavaScript engine SpiderMonkey (open source) to scan web pages. Because Angler targets mainly Internet Explorer users, they wouldn't be losing any "valuable" traffic with this technique.

  2. Obfuscated JavaScript code is usually designed such that during runtime an obfuscated string is de-obfuscated into a string that represents JavaScript code. This code is then executed using the "eval" method. The use of "eval" often raises flags for security scanners and so cyber crooks are constantly trying to come up with new ways to avoid explicit usage of this method by searching for creative replacements. In this instance they use a very interesting technique to execute a string avoiding eval:

    []["constructor"]["constructor"](<string representing JavaScript code>)()

    In JavaScript the "constructor" property returns the prototype of an object. In this case the prototype of [] is the Array class. Accessing the "constructor" property of the Array class returns the Function object. The constructor of Function object then returns a function and the body of that function is the last parameter, which is passed to the constructor. This results in the creation of a function that uses the provided string as the function's body (i.e. code), which is then instantly executed. Using this creative way they've managed to execute a string without using eval.

    To read more follow this link: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function

De-obfuscating the second layer of JavaScript code finally reveals the injected iframe that leads to Angler EK landing page:

Deobf_stage2

Figure 5: 2nd Layer deobfuscated

10435_892cba7c-6449-492e-acb7-fa855a88919c

Figure 6: Infection Chain

Down the road of a "successful" exploitation scenario lurks the notorious TeslaCrypt ransomware, demanding that a ransom be paid in order to decrypt the now-encrypted files on the victim machine:

7733_0644c02e-dd82-4a17-99c0-d1d0dcd66c78

Figure 7: TeslaCrypt's ransom message

The scariest thing about this incident is that a quick URL scan on VirusTotal shows that this incident has gone largely unnoticed:

BSL_12538_eddb86a2-fcb8-4b5d-b566-77048750754e

Figure 8: VirusTotal scan result

Unfortunately, as end users we have no control over the safety measures taken by websites to secure our visit to them, but by keeping our software up-to-date we can make sure that our attack surface remains minimal.

For enterprises, it is important to have security products in place that are able to deal with these threats and protect corporate users.

We have been actively working to protect users against this attack; we've notified "extendoffice" as well as their hosting company regarding this incident. At the time of publishing of this blog post we have received no response from either one. However, as of a few hours ago, it appears that the website has been cleaned and is no longer redirecting users to the Angler exploit kit. We will continue to monitor the situation, as we have no official confirmation regarding who or what resolved it.

Trustwave Secure Web Gateway protects its customers against this attack and the Angler Exploit Kit in general.

Update (25-Feb-2016): As of today extendoffice[.]com is once again redirecting visitors to the Angler exploit kit with a detection rate of 1/67 on VirusTotal (link: https://www.virustotal.com/en/url/b5ddc38f2ccfe575d16bb800a11f08c0bb36a51f0bcce593ac9d1483ddb033b7/analysis/1456411616/). We have again attempted to contact ExtendOffice and its hosting company, in the meantime be sure to avoid accessing this domain and configure your corporate security products accordingly. Trustwave Secure Web Gateway customers remain protected against this attack.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo