A Lenovo-related website apparently redirected visitors on March 13 to the Angler exploit kit, “a source of no small amount of crypto-ransomware,” according to an F-Secure blog post penned by researcher Sean Sullivan.
The post noted that although the compromise of the “startpage.lenovo.com” portal site may not have lasted too long “the consequences could be significant,” depending in part on the volume of traffic at the site on that Sunday evening.
The researcher at F-Secure said the findings come from upstream detection reports from its customers. “Exploit:JS/AnglerEK.D is the detection which triggered these particular upstream reports,” the post noted. “Angler's recent payload is TeslaCrypt. And that we detect as Trojan:W32/Rimecud.A!DeepGuard and Trojan:W32/TeslaCrypt.X!DeepGuard.”
Sullivan noted that he doesn't use a portal as his “start page.”