A cybercriminal could be risking a serious beating by compromising the popular Russian boxing site allboxing[.]ru with a redirect to a third-party site containing a Russian banking trojan.
Forcepoint Security Labs said the site, which receives about 3 million visits per month, has been injected with a malicious iFrame that employs several evasion tactics to avoid being spotted by researchers. The iFrame itself contains a VBScript exploit that leverages CVE-2016-0189 and attempts to run a Powershell script on the machine.
The creators use an older technique to obfuscate their actions.
“The script ensures that sufficient user interaction has occurred from either clicking, scrolling or moving the mouse. The attacker has given different weighting scores to the different types of user interaction and will only insert the iFrame once the threshold score is above 30. This is a stealth tactic used to prevent automated analysis systems from being redirected to the exploit, “ Forcepoint researcher Nicholas Griffin wrote.