The Israeli think tank website JCPA – an independent research institute focusing on Israeli security, regional diplomacy and international law – was serving the Sweet Orange exploit kit via drive-by downloads to push malware onto the computers of the website's visitors by exploiting software vulnerabilities, researchers from security firm Cyphort reported on Friday.
The Sweet Orange is one of the most recently released web malware exploitation kits, available for sale at selected invite-only cyber crime friendly communities and has been around for quite some time. However, Sweet Orange has also disappeared but in October 2013, shortly after the arrest of Paunch, the author of BlackHole, experts observed a major increase in the use of Sweet Orange.
The analysis carried out by Cyphort security firm indicates that the attack on JCPA website is part of a wide malware campaign. It has been discovering several infected website on daily bases and found an initial redirection server as a common thread between the attacks.
Following the initial redirection server, Cyphort notes that the innocent users from music industry and law firms are being redirected to a link in the infection chain. Ultimately, users are led to an exploit server located in Russia.
"This is a sinkhole that is connected to many such varying domain names," explains McEnroe Navaraj of Cyphort. "All of these names have some string of 'cdn' in them. Once the bad actors get access to an account/server they can just create a corresponding 'cdn' domain entry under that domain and use it to point to the target exploit server."
This method allows an attacker to bypass a lot of the URL categorization and URL blacklisting technologies.
The JCPA website's homepage is infected with a malicious Jquery JavaScript file. The Jquery JavaScript file receives an exploit kit server URL from another domain,
"cdn[dot]jameswoodwardmusic[dot]com."
Ultimately, the exploits are served from
"cdn3[dot]thecritico[dot]com:16122/clickheat/stargalaxy.php?nebua=3."
Finally, the user is attacked via a series of Java and Internet Explorer exploits that were used to deliver an information-stealing Trojan dubbed Qbot.
"The final dropper is downloaded in encrypted form and decrypted in-memory (key: investor) and written to disk," Navaraj explains. "This exploit kit served two (Qbot) binaries with same hash (MD5: 4ff506fe8b390478524477503a76f91a). Encrypted binary transfer is done to hide it from signature-based network security devices such as IPS or AV gateways."
The malware has self modifying capability as well as anti-virtual machine and anti-antivirus detection modules built in, in order to evade detection. Once infected a machine, the malware has capability to steal machine operating system install dates, names, and product IDs.
But most weirdly, the malware contains a link to an flv file for a "Wheat Thins" advertisement, which indicates that probably the attackers are using the malwares as a click-fraud to make some extra dollars.
Meanwhile, the malware also attempts to block users from accessing various anti-virus companies websites, as well as steals login credentials from a long list of prominent banks, including PNC, Zions Bank, Sovereign Bank, SunTrust, Bank of America, J.P. Morgan, Wells Fargo, Citi Bank, Wachovia, TD Bank and many more.
The security firm says it has notified the think tank via the contact form on its website, but received no response.
