“The Independent” news site’s blog compromised 

Hi guys,

The blog page of The Independent, one of the leading media sites in the United Kingdom was discovered to be compromised on the 8th December. It was putting millions of readers at the risk of getting infected with Ransomware. The affected website blog uses WordPress which is a popular blogging platform. The rest of The Independent site seems unaffected.

A spokesperson for The Independent has stated that “an advert appearing on that blogsite may have included malware.” They have also added that the the affected site was a “legacy” system that was rarely visited.

It has been found that since at least November 21, the compromised blog page redirected users to pages hosting the said exploit kit. If a user does not have an updated Adobe Flash Player, the vulnerable system will download the Cryptesla 2.2.0 ransomware (detected by Trend Micro as RANSOM_CRYPTESLA.YYSIX). Then the extension of the encrypted files changes to “.vvv”

The discovered vulnerability was CVE-2015-7645 which is the latest vulnerability to be added to Angler’s repertoire.

Angler Exploit Kit is the most active exploit kit to date that integrated Abobe Flash zero-day vulnerabilities related to the Hacking Team leak. A spike in the number of Angler-hosting links has been observed from May to September 2015.

The number of hits to the TDS between compromised sites leading to Angler EK  and have seen as many as 4,000 hits a day and could be more.

The exploit kit first downloads BEDEP malware and then the TeslaCrypt ransomware to the affected system.

BEDEP was first seen in 2014 and became more prominent early this year. Its in use in exploit kit attacks and was noted as the final payload for an attack involving the Angler Exploit Kit at the start of the year. The  BEDEP Security Brief, read “BEDEP and its strains are known to skirt detection because of its heavy encryption. It also comes manipulated Microsoft file properties to make it appear legitimate upon inspection.” In this particular infection chain, the BEDEP variant arrives via fileless infection in an effort to avoid detection.

BEDEP is capable of downloading other malware. The BEDEP variant  downloads ransomware into the affected system. But instead of TeslaCrypt, it downloads another notorious ransomware called CryptoLocker. This malware demands that the user pay a fee of US$499 for decryption; the fee increases after a certain time has lapsed.

It’s hard to determine the exact reason behind adding BEDEP to the infection chain but it’s highly possible that the cybercriminals wanted to take advantage of the different features of the malware, which include information theft and backdoor capabilities.


Stay tuned for updates on this story

Source: Akati

Comments are closed.