{"id":84017,"date":"2017-03-23T18:52:25","date_gmt":"2017-03-23T13:22:25","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=84017"},"modified":"2017-04-21T16:01:21","modified_gmt":"2017-04-21T10:31:21","slug":"cosmos-bank-website-compromised-rig-exploit-kit-drops-cerber-ransomware","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/cosmos-bank-website-compromised-rig-exploit-kit-drops-cerber-ransomware\/","title":{"rendered":"Cosmos Bank website compromised with RIG Exploit Kit which drops Cerber Ransomware"},"content":{"rendered":"<p><strong>Update:\u00a0The incident has been taken care of by Cosmos Bank and its website (URL) is now clean and safe to use.<\/strong><\/p>\n<p>Compromising popular websites has become a common strategy for attackers to spread infection in a widespread fashion. Attackers exploit unpatched vulnerabilities present on web servers in order to compromise websites. In addition to this, brute forcing login credentials for web admin consoles or FTPs (File Transfer Protocol) is also a preferred way for attackers to gain illegal access to web servers. By using all such techniques, attackers compromise websites and redirect users to other malicious websites.<\/p>\n<p>This blog post discusses how the website of a popular bank in India, the Cosmos Bank, was compromised with the infamous RIG Exploit Kit. The bank\u2019s website \u2018https:\/\/www.cosmosbank[.]com\u2019 was infected with the RIG Exploit Kit which was delivering the <a href=\"https:\/\/blogs.quickheal.com\/alert-ransomware-is-being-spread-through-the-ammyy-admin-website\/\">Cerber Ransomware<\/a>.\u00a0 At Quick Heal Threat Research Labs, we were able to reproduce the series of events that lead to this attack on 20<sup>th<\/sup> March 2017. Also, upon tracing back to the recorded logs, it was observed that the infection has been present on the website from 17<sup>th<\/sup> March 2017 till date. The bank was notified about the infection on 20<sup>th<\/sup> March 2017.<\/p>\n<p><strong>Here\u2019s how it all happened<\/strong><\/p>\n<p>The below diagram represents a graphical explanation about how this infection took place.<\/p>\n<figure id=\"attachment_84018\" aria-describedby=\"caption-attachment-84018\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-84018 size-large\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/03\/1-Exploit-Kit-Cycle-650x225.png\" alt=\"Fig 1. Infection Cycle\" width=\"650\" height=\"225\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/1-Exploit-Kit-Cycle-650x225.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/1-Exploit-Kit-Cycle-300x104.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/1-Exploit-Kit-Cycle-768x266.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/1-Exploit-Kit-Cycle-789x274.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/1-Exploit-Kit-Cycle.png 926w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><figcaption id=\"caption-attachment-84018\" class=\"wp-caption-text\">Fig 1. Infection Cycle<\/figcaption><\/figure>\n<ul>\n<li><strong>Compromised domain: <\/strong>www.cosmosbank[.]com (port 443)<\/li>\n<li><strong>RIG EK Landing Page domain: <\/strong>rew.bdwtesting[.]net\u00a0(185.158.153.111)<\/li>\n<li><strong>Cerber Post Infection domain: <\/strong>p27dokhpz2n7nvgr.1js3tl[.]top\u00a0(104.232.37.30)<\/li>\n<\/ul>\n<p>The infection was spotted on the index page of the Cosmos Bank website. An iframe was injected at the top of the web page, which was redirecting it to a RIG Exploit Kit landing page. The RIG Exploit Kit domain was \u201crew.bdwtesting[.]net\u201d. The infection is a part of the <strong>pseudo-Darkleech<\/strong> <strong>campaign <\/strong>(a long-running campaign that uses exploit kits (EKs) to deliver malware).<\/p>\n<figure id=\"attachment_84019\" aria-describedby=\"caption-attachment-84019\" style=\"width: 682px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-84019 size-full\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/03\/2-cosmos-index-page.png\" alt=\"Fig 2. Cosmos Bank\u2019s compromised web page\" width=\"682\" height=\"576\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/2-cosmos-index-page.png 682w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/2-cosmos-index-page-300x253.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/2-cosmos-index-page-462x390.png 462w\" sizes=\"(max-width: 682px) 100vw, 682px\" \/><figcaption id=\"caption-attachment-84019\" class=\"wp-caption-text\">Fig 2. Cosmos Bank\u2019s compromised web page<\/figcaption><\/figure>\n<p>The landing page was found to contain heavily obfuscated JavaScript. The RIG Exploit Kit launches the exploits for the targeted vulnerabilities in the browser and its installed components. In this particular case, Adobe flash vulnerability was exploited.<\/p>\n<figure id=\"attachment_84020\" aria-describedby=\"caption-attachment-84020\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-84020 size-large\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/03\/3-Landing-Page-650x257.png\" alt=\"Fig 3. RIG Exploit Kit landing page\" width=\"650\" height=\"257\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/3-Landing-Page-650x257.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/3-Landing-Page-300x119.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/3-Landing-Page-768x304.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/3-Landing-Page-789x312.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/3-Landing-Page.png 1529w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><figcaption id=\"caption-attachment-84020\" class=\"wp-caption-text\">Fig 3. RIG Exploit Kit landing page<\/figcaption><\/figure>\n<p>After de-obfuscation of the landing page, the exploit kit launches an Adobe Flash exploit.<\/p>\n<figure id=\"attachment_84021\" aria-describedby=\"caption-attachment-84021\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-84021 size-large\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/03\/4-Deobfuscated-650x273.png\" alt=\"Fig 4. De-obfuscated RIG Exploit Kit landing page\" width=\"650\" height=\"273\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/4-Deobfuscated-650x273.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/4-Deobfuscated-300x126.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/4-Deobfuscated-768x322.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/4-Deobfuscated-789x331.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/4-Deobfuscated.png 1539w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><figcaption id=\"caption-attachment-84021\" class=\"wp-caption-text\">Fig 4. De-obfuscated RIG Exploit Kit landing page<\/figcaption><\/figure>\n<p>The Flash exploit payload looks like this.<\/p>\n<figure id=\"attachment_84022\" aria-describedby=\"caption-attachment-84022\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-84022 size-large\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/03\/5-flash_exploit-650x376.png\" alt=\"Fig 5. Flash exploit payload\" width=\"650\" height=\"376\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/5-flash_exploit-650x376.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/5-flash_exploit-300x173.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/5-flash_exploit-768x444.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/5-flash_exploit-789x456.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/5-flash_exploit.png 1079w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><figcaption id=\"caption-attachment-84022\" class=\"wp-caption-text\">Fig 5. Flash exploit payload<\/figcaption><\/figure>\n<p>Upon successful exploitation of Flash, the exploit code drops the Cerber Ransomware on the victim\u2019s machine, which is followed by a ransom note as shown below.<\/p>\n<figure id=\"attachment_84023\" aria-describedby=\"caption-attachment-84023\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-84023 size-large\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/03\/6-cerber-650x365.png\" alt=\"Fig 6. Cerber Ransomware\u2019s ransom note\" width=\"650\" height=\"365\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/6-cerber-650x365.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/6-cerber-300x168.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/6-cerber-768x431.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/6-cerber-789x443.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/6-cerber.png 1149w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><figcaption id=\"caption-attachment-84023\" class=\"wp-caption-text\">Fig 6. Cerber Ransomware\u2019s ransom note<\/figcaption><\/figure>\n<p>The post-infection activity of the ransomware is shown below.<\/p>\n<figure id=\"attachment_84024\" aria-describedby=\"caption-attachment-84024\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-84024 size-large\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/03\/7-Post-CnC-650x58.png\" alt=\"Fig 7. Cerber ransomware post-infection activity\" width=\"650\" height=\"58\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/7-Post-CnC-650x58.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/7-Post-CnC-300x27.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/7-Post-CnC-768x69.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/7-Post-CnC-789x71.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/03\/7-Post-CnC.png 1181w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><figcaption id=\"caption-attachment-84024\" class=\"wp-caption-text\">Fig 7. Cerber ransomware post-infection activity<\/figcaption><\/figure>\n<p>The <strong>Anti-Ransomware<\/strong> and <strong>Behavior Based Detection<\/strong> features of Quick Heal and Seqrite products successfully detected the Cerber Ransomware discussed in this blog post.<\/p>\n<p><strong>\u00a0<\/strong><strong>Indicator of Compromise (IOCs)<\/strong><\/p>\n<p>rew.bdwtesting[.]net \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0(RIG Exploit Kit)<br \/>\np27dokhpz2n7nvgr.1js3tl[.]top \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0(Cerber CnC)<br \/>\n8B778E29C7651404A39117B61C4EC8B6 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 (SWF, Adobe Flash Exploit)<br \/>\n08B921E9749B2C0EF720F84BBB0E5CF5 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 (EXE, Cerber Ransomware)<\/p>\n<p><strong>Conclusion<\/strong><\/p>\n<p>Unpatched web servers (web servers that are not applied with the latest software updates) are being targeted by cybercriminals who launch complex attacks where they make use of exploit kits as shown in this particular incident. The RIG Exploit Kit is being heavily used to compromise websites in order to deliver ransomware. We strongly recommend users to update their Windows Operating Systems with the latest security patches and use security solutions such as <a href=\"https:\/\/www.quickheal.com\/\">Quick Heal<\/a> or <a href=\"https:\/\/www.seqrite.com\/\">Seqrite<\/a> which has multiple layers of security to fend off such threats.<\/p>\n<p><strong>\u00a0<\/strong><strong>ACKNOWLEDGMENT<\/strong><\/p>\n<p><u>Subject Matter Experts<\/u><\/p>\n<ul>\n<li>Vishal Singh<\/li>\n<li>Vishal Dodke<\/li>\n<li>Pradeep Kulkarni<br \/>\n\u2013 Threat Research and Response Team<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Update:\u00a0The incident has been taken care of by Cosmos Bank and its website (URL) is now clean and safe to use. Compromising popular websites has become a common strategy for attackers to spread infection in a widespread fashion. Attackers exploit unpatched vulnerabilities present on web servers in order to compromise websites. In addition to this, [&hellip;]<\/p>\n","protected":false},"author":31,"featured_media":84029,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[133,24,1],"tags":[875,1416,998,1414,50,1415,38],"class_list":["post-84017","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hacker","category-malware","category-uncategorized","tag-adobe-flash","tag-cerber","tag-compromised-websites","tag-exploit-kits","tag-ransomware","tag-rig-exploit-kit","tag-vulnerability"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84017"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/31"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=84017"}],"version-history":[{"count":13,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84017\/revisions"}],"predecessor-version":[{"id":84178,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84017\/revisions\/84178"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/84029"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=84017"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=84017"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=84017"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}