Incident Response, Malware, TDR redirects to Rig Exploit Kit, infects users with malware, Symantec observes

On Oct. 27, researchers with Symantec observed that popular music news and review website was redirecting visitors to the Rig Exploit Kit and, subsequently, infecting them with a variety of malware.

Ankit Singh, associate threat analyst with Symantec, posted about the issue on Tuesday, explaining that it appears to have been resolved, and adding that users in the U.S. were most affected by the compromise, according to Symantec telemetry.

Singh told in a Tuesday email correspondence that Symantec is unsure of how the Spin website was compromised, but he explained in the post that attackers injected an iframe into the site, which then redirected visitors to the Rig Exploit Kit's highly obfuscated landing page.

“On the landing page, Rig [Exploit Kit] checked the user's computer for driver files associated with particular security software products to avoid detection, then looked for particular installed plugins and attempted to exploit them accordingly,” Singh said.

In the compromise, Rig Exploit Kit took advantage of two Microsoft Internet Explorer use-after-free remote code execution (RCE) vulnerabilities, CVE-2013-2551 and CVE-2014-0322, as well as Adobe Flash Player RCE vulnerability CVE-2014-0497, Microsoft Silverlight Double Deference RCE vulnerability CVE-2013-0074, Oracle Java SE memory corruption vulnerability CVE-2013-2465, Oracle Java SE remote Java runtime environment code execution vulnerability CVE-2012-0507, and Microsoft Internet Explorer information disclosure vulnerability CVE-2013-7331, according to the post.

Successful exploitation of any vulnerabilities resulted in a XOR-encrypted payload being downloaded to the user's computer, the post indicates, adding that the Rig Exploit Kit drops a variety of malware, including Infostealer.Dyranges and Trojan.Zbot, or Zeus.

“Infostealer.Dyranges checks the URL in the web browser for online banking services and intercepts traffic between the user and these sites; it may then steal user names and passwords inputted into these sites' login forms and send them to remote locations,” Singh said. “Trojan.Zbot will gather a variety of information about the compromised computer, as well as users name and passwords, which it sends back to the [command-and-control] server. It also opens a backdoor through which attackers can perform various actions.”

Singh said the average user will not notice what is going on in the back-end.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.