This evening, Barracuda Labs' URL analysis system detected drive-by downloads originating from five Alexa top-ranked websites: hindustantimes[.]com, bollywoodhungama[.]com, one[.]co[.]il, codingforums[.]com, and mawdoo3[.]com. Threatglass entries for these sites are available here, here, here, here, and here.
In every case, malicious content arrived via the site's use of the Zedo ad network. Specifically, the following subchain is common to every site's sequence of events.
<site index>
-> hxxp://[c2|c5][.]zedo[.]com/jsc/[c2|c5]/fo.js
–> hxxp://ss1[.]zedo[.]com/jsc/fst.js
—> hxxp://static[.]rcs7[.]org/seo1.php?ds=true&dr=<…>
—-> hxxp://xenon[.]asapparts[.]com/akamai/adsone.php?acc=<…>
In the above subchain, ss1[.]zedo[.]com served obfuscated JavaScript that began a series of redirects to malicious content. The last site, xenon[.]asapparts[.]com, redirected to one of several different exploit kit-backed sites.
Upon successful compromise, an instance of CryptoWall ransomware is installed on the victim's system. The particular instance delivered via tonight's campaign has a valid digital signature and appears to have been signed just hours before its distribution.
Per the screenshot below, initial VirusTotal results indicated 0/55 detections.
Those results have since improved, with additional tools now identifying the program as malicious. With any luck, the certificate used to sign the executable will be revoked soon.
Christine Barry ist Senior Chief Blogger und Social Media Manager bei Barracuda. Bevor sie zu Barracuda kam, war Christine über 15 Jahre als Außendiensttechnikerin und Projektmanagerin für K12 und SMB-Kunden tätig. Sie hat mehrere Zugangsdaten für Technologie und Projektmanagement, einen Bachelor of Arts und einen Master of Business Administration. Sie ist Absolventin der University of Michigan.
Vernetzen Sie sich hier auf LinkedIn mit Christine.
