A fresh Angler exploit kit campaign is targeting Sexting Forum and 18 other sites.
According to Cyphort Labs, the initiative uses the bootstrapcdn.org redirector and sends users to malicious payloads hosted on .co.uk websites.
“This is not malvertising, instead the websites are compromised directly (likely via FTP password theft) and redirect using an embedded SCRIPT tag,” explained Cyphort’s Nick Bilogorskiy, in a blog.
The drive-by exploits are affecting a wide variety of sites, including a Smith & Wesson discussion forum, an “Army Recognition” site, and a leading credit union in Houston (JSC FCU has been around for 50 years and has grown to serve 123,000+ members and 2,000+ Community Business Partners (CBPs) throughout the greater Houston area). There’s also a site that offers bloggers visitor stats and the like, and UltraVNC.com, the online presence of one of the most popular remote desktop programs for remote administration. It is similar to TeamViewer, pcAnywhere or LogMeIn.
The sites unfortunately have a wide reach. In the case of the UltraVNC website, many technical users go to this website to download VNC client to troubleshoot their friends’, family or clients’ PCs.
“In computing, virtual network computing (VNC) is a graphical desktop sharing system that transmits the keyboard and mouse events from one computer to another, relaying the graphical screen updates back in the other direction, over a network,” said Bilogorskiy. “With over a billion copies, VNC is a de facto standard for remote control. VNC has been used widely in hundreds of different products and applications, from helpdesks to virtualization.”
“As the website seems to be controlled by the attackers, it is possible that VNC software has been replaced by a trojan as well,” Bilogorsky warned.
The campaign started on May 9, about a week ago, and is ongoing. It’s also just the latest in a series of drive-bys.
“It is of interest to note that the use of .co.uk domains by malicious actors increased by ~150% year-over-year in 2016,” he said. “We believe that rather than registering new .co.uk domains, attackers likely compromised the co.uk registrars customers' accounts to add additional subdomain DNS pointers. Example: specialist-foods.co.uk is a legitimate commercial website, zunickender.specialist-foods.co.uk is a hacker subdomain pointing to Angler EK.”
Photo © LeoWolfort