A home improvement-related chatroom and more than hundred forums have been injected with Gamarue malware.
Gamarue, a loader worm that often serves to make an initial infection and then fetch other malware, is making its way around the net by way of insecure forums. Paul Kimayong, malware researcher at Cyphort Labs, in a blog, said that the campaign targets websites that serve homeowners.
“[The attack] is part of a click fraud campaign,” he said. “For a click fraud to look legitimate, it better come from home users…we believe that this malware pack is designed for click fraud campaign and for distribution using watering-hole attacks.”
The researcher noted that impacted forums are powered by outdated software, containing vulnerabilities that leave them sitting ducks. Those vulnerabilities are then used to compromise them, injecting a malware redirection code. The injection in turn redirects to the Fiesta exploit kit, which then downloads encrypted Gamarue malware.
Specifically, the forum sites are powered by vBulletin or by IP Board. Earlier this year, Sucuri reported a serious vulnerability affecting vBSEO, a component of vBulletin, which allows an attacker to remotely execute malicious PHP code on a website. vBSEO was already discontinued due to several vulnerabilities—but some websites still use it.
Cyphort originally noticed the infection spreading by way of the www.diychatroom.com. But, “through our chain heuristics and browser cooker engine, we discovered that several other forum sites are also infected with this same malicious attack,” Kimayong said.
The infections are tough to track. Kimayong said that the bug is sandbox-aware; in other words, it does not execute in virtual environments.
“The server evaluates the information received from the infected computers and replies back with any one of several commands,” he explained. “When the trojan is executed in a virtual environment (or sandbox) it chooses to stay low and replies with command #none.”