A drive-by download campaign is targeting Chinese websites to experiment with different exploits to drop malware.
Malwarebytes researchers spotted a campaign in which Chinese websites were compromised to load external content via scripts and iframe overlays that display one site but contain several injected layers that expose visitors to unwanted code and malware, according to a Feb. 22 Malwarebytes blog post.
“Indeed, the domain serving the exploits appears to be static and the URIs are always the same, Malwarebytes researcher Jerome Segura said in the post. ”Regardless, it does not prevent threat actors from arranging drive-by attacks by copying and pasting various pieces of code they can find here and there.”
One of the malicious scripts included a knock-off Coinhive miner which took a 10 percent commission as opposed to Coinhive's 30 percent commission. Researchers also noticed three exploits targeting older vulnerabilities in an ActiveX component, the Flash Player and Internet Explorer.
The exploits included CVE-2008-2551, an old vulnerability with the C6 Messenger ActiveX control, CVE-2015-5119, a Flash Player vulnerability affecting Flash up to version 126.96.36.199, and CVE-2016-0189, the well-known Internet Explorer God Mode.
Researchers noted the CVE-2015-5119 Flash vulnerability was lifted from a proof of concept and that its implementation in witnessed attack was somewhat unstable and may have caused a browser to crash.
The Explorer God Mode vulnerability was commented out for unknown reasons and the final payload dropped in this campaign is a DDoS bot.
Sean Newman, Director at Corero Network Security told SC Media the campaign is just another example of how much cyber criminals are innovating and are still able to leverage techniques which have been tried and tested for many years.
"Botnets used for DDoS attacks, now compromised mainly of poorly secured IoT devices, have risen in popularity over the past couple of years," Newman said. "And, with the new promise of collecting significant ransom payments on the back of them, it's no surprise that hackers might also be dusting off some of their old weapons.""