Offers Young Men Advice, Ransomware

Druckfreundlich, PDF & E-Mail

Yesterday (Sunday, July 6), as well as in June, May and April, AskMen's website served visitors malware via drive-by download attacks that targeted vulnerabilities in various browser-related software components including IE, Flash, and the Java web plugin. During the June incident, ransomware (a type of malware that denies the user access to their files or computer until a ransom is paid) was installed on visitors' computers. Given the need to coerce payment from its victims, ransomware is visually noisy, as indicated by the following screenshot taken at the end of a June 19 visit to AskMen[.]com.

AskMen DDLAskMen for advice, get ransomware.

The chain of redirects that began at AskMen's front page and ended with the installation of ransomware on visitors’ computers is as follows.

hxxp://www[.]askmen[.]com/</redacted> (xMultiple)
-> hxxp://ec6155aa[.]pw/<redacted>
–>hxxp://asjdaydyaf[.]info/<redacted> (xMultiple)
—> hxxp://bannertrackingstat[.]com/<redacted> (xMultiple)

In the above chain, the ec6155aa[.]pw domain is generated dynamically based off of the current date. Subsequent reverse engineering of the name generation algorithm and examination of domains for nearby dates revealed that the the drive-by download campaign lasted from June 18 to June 23. Additional details can be found on the following page.

Requests to asjdaydyaf[.]info corresponded to a site backed by the RIG Exploit Kit, which currently targets IE, Flash, Silverlight, and Java. In this instance, RIG yielded a malicious JAR file with relatively few AV detections. Successful exploitation resulted in the installation of CryptoWall, a type of ransomware that uses strong cryptography to hold the user's files hostage.

Visualizations of each AskMen[.]com drive-by download instance and the corresponding packet capture (PCAP) files for April, May, June and July are available via Threatglass.

UPDATE (July 9): Barracuda Labs has been corresponding with the AskMen website operators, who have indicated that they have discovered and resolved the security issue behind the incidents.
UPDATE (July 19): The AskMen website is again serving drive-by downloads, which suggests a vulnerability within its infrastructure or intrusion within its operators' organization.

Nach oben scrollen