They say that with great power comes great responsibility. In the world of websites the more popular your website is the greater your responsibility, and being responsible means, amongst other things, keeping your systems up-to-date.
We've recently come across an unfortunate case where a fairly popular website was redirecting its visitors to the Angler Exploit Kit which, upon successful exploitation, dropped the TeslaCrypt ransomware on the victim machine.
This blog post should serve as a reminder for all of the web admins to keep their web applications up-to-date, as well as a cautionary tale of what might otherwise happen, told through the story of www.extendoffice[.]com.
"extendoffice" sells add-ins to Microsoft office and it also provides "Tips and Tricks" for Microsoft Office users. It is ranked in Alexa's top 10,000 globally, and approximately rank 5,500 in the US. These numbers may not sound impressive, but considering the millions of websites out there in the world, any site with those kind of rankings is likely getting over a million visitors per month; in the world of exploit kits that is a lot of traffic.
Our tale begins a few days ago, as we were going about our daily work looking into telemetry data from our products. We noticed the redirection of visitors from the "extendoffice" site to the Angler Exploit Kit. With Malicious advertising being popular as it is in the world of exploit kits, such a sight isn't entirely unheard of, but upon further investigation we saw that this behavior goes back as far as February 6th and decided to investigate further.
Browsing to the homepage of "extendoffice" shows an error message at the top of the page, which always raises suspicion to a security researcher:
Figure 1: Home page of extendoffice
According to the error message it's easy to see that it is a Joomla-based site, further checking reveals that it is using Joomla version 3.4.3:
Figure 2: Joomla version 3.4.3
Unfortunately, this version is vulnerable to CVE-2015-8562 "Object Injection Remote Command Execution" - a vulnerability that was exploited in the wild as a 0day before it was patched on Dec 2015 with the release of version 3.4.6 of Joomla. We believe that the cyber criminals behind the attack used this vulnerability to upload a malicious script to extendoffice's web server, which then injected obfuscated JavaScript code to every web page displayed to visitors:
Figure 3: Injected script
De-obfuscating the script reveals another layer of obfuscated JavaScript code with two interesting parts:
Figure 4: First level of Deobfuscation
It's no secret that cyber criminals and the security community are playing an endless game of cat and mouse, this time we found some interesting tricks in the deobfuscated code which were likely used in order to deceive and bypass security scanning engines:
De-obfuscating the second layer of JavaScript code finally reveals the injected iframe that leads to Angler EK landing page:
Figure 5: 2nd Layer deobfuscated
Figure 6: Infection Chain
Down the road of a "successful" exploitation scenario lurks the notorious TeslaCrypt ransomware, demanding that a ransom be paid in order to decrypt the now-encrypted files on the victim machine:
Figure 7: TeslaCrypt's ransom message
The scariest thing about this incident is that a quick URL scan on VirusTotal shows that this incident has gone largely unnoticed:
Figure 8: VirusTotal scan result
Unfortunately, as end users we have no control over the safety measures taken by websites to secure our visit to them, but by keeping our software up-to-date we can make sure that our attack surface remains minimal.
For enterprises, it is important to have security products in place that are able to deal with these threats and protect corporate users.
We have been actively working to protect users against this attack; we've notified "extendoffice" as well as their hosting company regarding this incident. At the time of publishing of this blog post we have received no response from either one. However, as of a few hours ago, it appears that the website has been cleaned and is no longer redirecting users to the Angler exploit kit. We will continue to monitor the situation, as we have no official confirmation regarding who or what resolved it.
Trustwave Secure Web Gateway protects its customers against this attack and the Angler Exploit Kit in general.
Update (25-Feb-2016): As of today extendoffice[.]com is once again redirecting visitors to the Angler exploit kit with a detection rate of 1/67 on VirusTotal (link: https://www.virustotal.com/en/url/b5ddc38f2ccfe575d16bb800a11f08c0bb36a51f0bcce593ac9d1483ddb033b7/analysis/1456411616/). We have again attempted to contact ExtendOffice and its hosting company, in the meantime be sure to avoid accessing this domain and configure your corporate security products accordingly. Trustwave Secure Web Gateway customers remain protected against this attack.