www.trendmicro.com
Open in
urlscan Pro
104.103.101.97
Public Scan
URL:
https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html
Submission: On August 19 via manual from IN — Scanned from DE
Submission: On August 19 via manual from IN — Scanned from DE
Form analysis 3 forms found in the DOM
<form class="main-menu-search" aria-label="Search Trend Micro">
<div class="main-menu-search__field-wrapper" id="cludo-search-form">
<table cellspacing="0" cellpadding="0" class="gsc-search-box" style="width:100%">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" size="10" class="gsc-input" name="search" title="search" placeholder="Search Trend Micro" autocomplete="off">
</td>
</tr>
</tbody>
</table>
</div>
</form><form class="main-menu-search" aria-label="Search Trend Micro">
<div class="main-menu-search__field-wrapper" id="cludo-search-form-mobile">
<table cellspacing="0" cellpadding="0" class="gsc-search-box" style="width:100%">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" size="10" class="gsc-input" name="search" title="search" placeholder="Search Trend Micro" autocomplete="off">
</td>
<td class="gsc-search-close collapsed" style="width:1%;" data-target="#search-mobile-wrapper" data-toggle="collapse">
<span class="icon-close"></span>
</td>
</tr>
</tbody>
</table>
</div>
</form>POST #
<form class="acsb-form" data-acsb-search="form" enctype="multipart/form-data" action="#" method="POST"> <input type="text" tabindex="0" name="acsb_search" autocomplete="off" placeholder="Unclear content? Search in dictionary..."
aria-label="Unclear content? Search in dictionary..."> <i class="acsbi-search"></i> <i class="acsbi-chevron_down"></i> </form>Text Content
Skip to Content
↵ENTER
Skip to Menu
↵ENTER
Skip to Footer
↵ENTER
dismiss
4 Alerts
* Achieving better attack surface risk management with a unified cybersecurity
platform
dismiss
Learn more
* Trend Micro Vision One™: Detect, investigate, prioritize, and respond to
threats quicker
dismiss
Join live demos
* Metaworse? The Trouble with the Metaverse
dismiss
Learn more
* IDC announces Trend Micro is #1 in Cloud Workload Security Market Share
dismiss
Learn more
* No new notifications at this time.
Download
* Scan Engines
* All Pattern Files
* All Downloads
* Subscribe to Download Center RSS
Buy
* Find a Partner
* Home Office Online Store
* Renew Online
* Free Tools
* Contact Sales
* Locations Worldwide
* 1-888-762-8736 (M-F 8am - 5pm CST)
* Small Business
* Buy Online
* Renew Online
Region
* The Americas
* United States
* Brasil
* Canada
* México
* Middle East & Africa
* South Africa
* Middle East and North Africa
* Europe
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Nederland
* Norge (Norway)
* Polska (Poland)
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
* Asia & Pacific
* Australia
* Центральная Азия (Central Asia)
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* Монголия (Mongolia) and рузия (Georgia)
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
Log In
* My Support
* Log In to Support
* Partner Portal
* Home Solutions
* My Account
* Lost Device Portal
* Trend Micro Vault
* Password Manager
* Customer Licensing Portal
* Online Case Tracking
* Premium Support
* Worry-Free Business Security Services
* Remote Manager
* Cloud One
* Referral Affiliate
* Referral Affiliate
Free trials
* Cloud
* Detection and Response
* User Protection
Folio (0)
Contact Us
* Contact Sales
* Locations
* Support
* Find a Partner
* Learn of upcoming events
* Social Media Networks
* Facebook
* Twitter
* Linkedin
* Youtube
* Instagram
* 1-888-762-8736 (M-F 8-5 CST)
Business
For Home
Products Products
Trend Micro One - our unified cybersecurity platform >
Hybrid Cloud Security
Workload Security
Conformity
Container Security
File Storage Security
Application Security
Network Security
Open Source Security
Network Security
Intrusion Prevention
Advanced Threat Protection
Industrial Network Security
Mobile Network Security
Zero Trust Secure Access
User Protection
Endpoint Security
Email Security
Mobile Security
Web Security
Industrial Endpoint
Detection & Response
XDR
Risk Insights
Powered by
AI/Machine Learning
Global Threat Intelligence
All Products & Trials
Our Unified Platform
Service Packages
Small & Midsize Business Security
Solutions Solutions
For Cloud
Cloud Migration
Cloud-Native App Development
Cloud Operational Excellence
Data Center Security
SaaS Applications
Internet of Things (IoT)
ICS / OT
Connected Car
5G Security for Enterprises
Risk Management
Ransomware
Cyber Insurance
End-of-Support Systems
Compliance
Detection and Response
Industries
Healthcare
Manufacturing
Oil & Gas
Electric Utility
Federal
Why Trend Micro Why Trend Micro
The Trend Micro Difference
Customer Successes
The Human Connection
Strategic Alliances
Industry Leadership
Research Research
Research
About Our Research
Research and Analysis
Research, News and Perspectives
Security Reports
Security News
Zero Day Initiative (ZDI)
Blog
Research by Topic
Vulnerabilities
Annual Predictions
The Deep Web
Internet of Things (IoT)
Resources
DevOps Resource Center
CISO Resource Center
What Is?
Threat Encyclopedia
Cloud Health Assessment
Cyber Risk Assessment
Enterprise Guides
Glossary of Terms
EXPLORE THE CYBER RISK INDEX (CRI)
Use the CRI to assess your organization’s preparedness against attacks, and get
a snapshot of cyber risk across organizations globally.
Calculate your risk
Services & Support Services & Support
Services
Service Packages
Managed XDR
Support Services
Business Support
Log In to Support
Technical Support
Virus & Threat Help
Renewals & Registration
Education & Certification
Contact Support
Downloads
Free Cleanup Tools
Find a Support Partner
For Popular Products
Deep Security
Apex One
Worry-Free
Worry-Free Renewals
Partners Partners
Channel Partners
Channel Partner Overview
Managed Service Provider
Cloud Service Provider
Professional Services
Resellers
Marketplace
System Integrators
Alliance Partners
Alliance Overview
Technology Alliance Partners
Our Alliance Partners
Tools and Resources
Find a Partner
Education and Certification
Partner Successes
Distributors
Partner Login
Company Company
Overview
Leadership
Customer Success Stories
Human Connections
Strategic Alliances
Industry Accolades
Newsroom
Webinars
Events
Security Experts
Careers
History
Corporate Social Responsibility
Diversity, Equity & Inclusion
Trust Center
Internet Safety and Cybersecurity Education
Investors
Legal
×
Folio (0)
4 Alerts
* Achieving better attack surface risk management with a unified cybersecurity
platform
dismiss
Learn more
* Trend Micro Vision One™: Detect, investigate, prioritize, and respond to
threats quicker
dismiss
Join live demos
* Metaworse? The Trouble with the Metaverse
dismiss
Learn more
* IDC announces Trend Micro is #1 in Cloud Workload Security Market Share
dismiss
Learn more
* No new notifications at this time.
Download
* Scan Engines
* All Pattern Files
* All Downloads
* Subscribe to Download Center RSS
Buy
* Find a Partner
* Home Office Online Store
* Renew Online
* Free Tools
* Contact Sales
* Locations Worldwide
* 1-888-762-8736 (M-F 8am - 5pm CST)
* Small Business
* Buy Online
* Renew Online
Region
* The Americas
* United States
* Brasil
* Canada
* México
* Middle East & Africa
* South Africa
* Middle East and North Africa
* Europe
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Nederland
* Norge (Norway)
* Polska (Poland)
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
* Asia & Pacific
* Australia
* Центральная Азия (Central Asia)
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* Монголия (Mongolia) and рузия (Georgia)
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
Log In
* My Support
* Log In to Support
* Partner Portal
* Home Solutions
* My Account
* Lost Device Portal
* Trend Micro Vault
* Password Manager
* Customer Licensing Portal
* Online Case Tracking
* Premium Support
* Worry-Free Business Security Services
* Remote Manager
* Cloud One
* Referral Affiliate
* Referral Affiliate
Free trials
* Cloud
* Detection and Response
* User Protection
Folio (0)
Contact Us
* Contact Sales
* Locations
* Support
* Find a Partner
* Learn of upcoming events
* Social Media Networks
* Facebook
* Twitter
* Linkedin
* Youtube
* Instagram
* 1-888-762-8736 (M-F 8-5 CST)
* Achieving better attack surface risk management with a unified cybersecurity
platform
dismiss
Learn more
* Trend Micro Vision One™: Detect, investigate, prioritize, and respond to
threats quicker
dismiss
Join live demos
* Metaworse? The Trouble with the Metaverse
dismiss
Learn more
* IDC announces Trend Micro is #1 in Cloud Workload Security Market Share
dismiss
Learn more
* No new notifications at this time.
* Scan Engines
* All Pattern Files
* All Downloads
* Subscribe to Download Center RSS
* Find a Partner
* Home Office Online Store
* Renew Online
* Free Tools
* Contact Sales
* Locations Worldwide
* 1-888-762-8736 (M-F 8am - 5pm CST)
* Small Business
* Buy Online
* Renew Online
* The Americas
* United States
* Brasil
* Canada
* México
* Middle East & Africa
* South Africa
* Middle East and North Africa
* Europe
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Nederland
* Norge (Norway)
* Polska (Poland)
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
* Asia & Pacific
* Australia
* Центральная Азия (Central Asia)
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* Монголия (Mongolia) and рузия (Georgia)
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
* My Support
* Log In to Support
* Partner Portal
* Home Solutions
* My Account
* Lost Device Portal
* Trend Micro Vault
* Password Manager
* Customer Licensing Portal
* Online Case Tracking
* Premium Support
* Worry-Free Business Security Services
* Remote Manager
* Cloud One
* Referral Affiliate
* Referral Affiliate
* Cloud
* Detection and Response
* User Protection
* Contact Sales
* Locations
* Support
* Find a Partner
* Learn of upcoming events
* Social Media Networks
* Facebook
* Twitter
* Linkedin
* Youtube
* Instagram
* 1-888-762-8736 (M-F 8-5 CST)
undefined
Cyber Threats
Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload
Subscribe
Content added to Folio
Folio (0) close
Cyber Threats
THWARTING LOADERS: FROM SOCGHOLISH TO BLISTER’S LOCKBIT PAYLOAD
Both BLISTER and SocGholish are loaders known for their evasion tactics. Our
report details what these loaders are capable of and our investigation into a
campaign that uses both to deliver the LockBit ransomware.
By: Earle Maui Earnshaw, Mohamed Fahmy, Ian Kenefick, Ryan Maglaque, Abdelrhman
Sharshar, Lucas Silva April 05, 2022 Read time: 7 min (1847 words)
Save to Folio
Subscribe
--------------------------------------------------------------------------------
The Trend MicroTM Managed XDR team has made a series of discoveries involving
the BLISTER loader and SocGholish. We observed SocGholish’s discreet activity
despite its low detections and a BLISTER loader sample used by threat actors to
drop a LockBit payload. Close monitoring of and prompt response to both cases
prevented their respective payloads from being delivered.
Both BLISTER and SocGholish are known for their stealth and evasion tactics in
order to deliver damaging payloads. Notably, these two have been used in
campaigns together, with SocGholish dropping BLISTER as a second-stage loader.
Combined, these two loaders aim to evade detection and suspicion to drop and
execute payloads, specifically LockBit in this case. Our investigation follows
what these loaders are capable of if they not stopped from the outset.
SocGholish infrastructure
SocGholish has been around longer than BLISTER, having already established
itself well among threat actors for its advanced delivery framework. Reports
show that its framework of attack has previously been used by threat actors from
as early as 2020.
Our investigation began when the Trend Micro Managed XDR threat hunting team
flagged activity from one endpoint. Further investigation uncovered more beneath
the surface.
In this case, the user had unknowingly accessed a compromised legitimate
website, which prompted a drive-by download of a malicious file into their
system. This method of distributing malicious files is a distinct marker of
SocGholish.
The download zip file (C:\Users\victim\Downloads\download.1313a9.zip) contained
the malicious JavaScript Chrome.Update.1313a9.js, which masquerades as an update
for the browser. The contained script here is obfuscated. Thankfully, user
execution is still required for this threat to proceed.
Figure 1. Code snippet of the JavaScript
We investigated what would happen if the script were executed and learned that
this allows the malware to proceed with connecting to its command-and-control
(C&C) domain and deploy several discovery commands to gather information
regarding the system. Afterward, it logs the information into to files with .tmp
extensions.
Figure 2. PRCA of the discovery commands execution as seen in Trend Micro Vision
One™
The executed commands as seen in Figure 2 are as follows:
* "C:\Windows\System32\cmd.exe" /C net group "domain admins" /domain
>> "C:\Users\victim\AppData\Local\Temp\rad613A2.tmp"
* "C:\Windows\System32\cmd.exe" /C cmdkey /list >>
"C:\Users\victim\AppData\Local\Temp\radF9A30.tmp"
* "C:\Windows\System32\cmd.exe" /C net user victim /domain >>
"C:\Users\victim\AppData\Local\Temp\rad6FDE0.tmp"
* "C:\Windows\System32\cmd.exe" /C nltest /domain_trusts >>
"C:\Users\victim\AppData\Local\Temp\rad8B102.tmp"
* "C:\Windows\System32\cmd.exe" /C cmdkey /list >>
"C:\Users\victim\AppData\Local\Temp\rad2A57D.tmp"
* "C:\Windows\System32\cmd.exe" /C nltest /dclist: >>
"C:\Users\victim\AppData\Local\Temp\rad3FBC3.tmp"
* "C:\Windows\System32\cmd.exe" /C whoami /all >>
"C:\Users\victim\AppData\Local\Temp\rad95E90.tmp"
The malware then drops an additional .js file that executes a few other
discovery commands. Finally, it downloads and executes the Cobalt Strike beacon,
which is used to execute remote commands. Aside from the aforementioned scripts,
a few others were also dropped but were immediately mitigated by the product.
Figure 3. Vision One showing the deployment of JavaScript and Cobalt Strike
Low detections of Cobalt Strike and the BLISTER connection
The Cobalt Strike file was particularly interesting, because at the time of this
investigation, it had a low detection rate. We wanted to see why that was and
what evasion tactics it employed.
Date Detection Jan 19, 2022 2 Jan 20, 2022 3 Jan 26, 2022 3 Jan 31, 2022 2 Feb
7, 2022 2 Feb 10, 2022 2
Table 1. VirusTotal detection history
Indeed, further investigation showed that the Cobalt Strike file was a tampered
version of a legitimate DLL where an export function was modified to contain the
Cobalt Strike. This is the first time we have observed this in the SocGholish
infrastructure.
Figure 4. Comparison of the original DLL to the patched DLL
The sample, wimgapi.dll, will create a thread that will essentially put itself
to sleep for 10 minutes before decrypting and executing its shell code. It also
pauses operations in order to evade detection — a well-documented defense
evasion technique.
It also performs additional commands before decrypting and executing the shell
code as an added evasion tactic. These commands are the following:
* It creates the folder C:\\ProgramData\\TermSvc.
* It then drops drops the files C:\\ProgramData\\TermSvc\TermSvc.exe, which is
the copy of the file (Rundll32.exe in this case ) that executes the sample
wimgapi.dll and the file %User Startup%\\TermSvc.lnk, which executes the
aforementioned dropped copy (Rundll32.exe).
It then proceeds to decrypt, load, and execute the shell code that connects to
the URL sikescomposite[.]com. It utilizes VirtualAlloc, VirtualProtect, and
CreateThread to decrypt the shell code and execute in memory.
We also observed the harvesting of API functions, which are called only when
needed as seen in their shell code (Figure 5). This is another tactic that
obscures the shell code.
Figure 5. The code for harvesting of API functions and calling them when needed
As a malleable Cobalt Strike C&C stager, the behavior of wimgapi.dll might be
dependent on what is downloaded from the accessed URL. With regard to this
incident, we have observed the following after its deployment
* Account discovery
* Pass-the-hash for privilege escalation
* Spawned WerFault.exe process that generates the following activity: Network
sniffing of port 135
* Copying of browser login data
* Lateral movement via dropping Cobalt Strike copies into remote machines
Figure 6. Dropping of Cobalt Strike to remote machines as seen in Vision One
Aside from the malicious behavior demonstrated by Cobalt Strike, one of the C&C
IP addresses (198[.]71[.]233[.]254) can be linked to Emotet and Dridex attacks.
This IP address, which is used by multiple JavaScript C&C domains, was found
hosting and dropping Emotet and Dridex samples from the end of 2021 to this
year.
The way Cobalt Strike was used in this scenario (masking tampered DLLs as
legitimate) is interesting, because we have yet to observe it in other
SocGholish campaigns. This indicates that the threat actors behind SocGholish
are selling access to or are joining forces with a third party. Interestingly,
another case investigated by the Trend Micro Managed XDR seems to show the third
party to be the threat actors behind BLISTER.
From SocGholish to BLISTER and LockBit
We also discovered the use of BLISTER loader a newer type of malware that was
first identified in December 2021, in deploying the LockBit ransomware. The
delivery of BLISTER loader might be through malicious installers, specifically
the SocGholish framework. It can also have an embedded Cobalt Strike or BitRat
payload in its resource section.
LockBit is a ransomware-as-a-service (RaaS) cartel that has one of the most
active ransomware operations today. The gang is infamous for its sophisticated
malware capabilities and strong affiliate network. It typically infects systems
using unauthorized access to internet facing infrastructure.
Curiously, the MDR team found that recent detections used BLISTER, which employs
SocGholish’s tactic of using fake browser updates to drop malicious files. It
also uses several techniques such as the following to avoid detection:
* Use of valid code signing certificates to persist in the system
* Use of direct system calls to avoid hooks of the antivirus Userland
* Delay of code execution for 10 minutes to evade sandbox detection
* Injection of the payload into a legitimate process such as werfault.exe and
renaming legitimate DLLs like Rundll32.exe to stay under the radar.
Likely, through the drive-by download scheme of SocGholish, the file called
ssql.exe was dropped. This file serves as a dropper that was created with
NullSoft, an open-source system for creating Windows installers, as seen in
Figure 7.
Figure 7. The ssql.exe dropper created through NullSoft
Once ssql.exe is executed, it drops a BLISTER loader sample to
%Temp%\wimgapi_64\wimgapi.dll. The file wimgapi.dll is then loaded in memory and
the export WIMDeleteImageMounts is executed.
Figure 8. BLISTER is dropped.
Figure 9. WIMDeleteImageMounts is executed.
The DLL decodes the shell code found in its RCData resource and executes it.
Similarly, the shellcode sleeps for 10 minutes and then decrypts and
decompresses the Cobalt Strike beacon.
Vision One generated an image (Figure 10) to show the infection chain based on
our samples.
Figure 10. Image of BLISTER loader’s infection chain generated through Vision
One
After the execution of the Cobalt Strike payload, the threat actors dropped and
executed batch scripts to stop antivirus agents (KillAV) running in the
environment and critical services (SQL, Veeam, Exchange, and others). The script
will also update the Group Policy Object (GPO) in the machine, add the computer
host name to a centralized text file, and creates scheduled task “updater” to
execute the batch file on startup and finally clear the Windows Events logs.
Figure 11. KillAV used by the LockBit ransomware group to try to stop antivirus
agents
Figure 12. Batch script used by the LockBit ransomware group to stop critical
services and third-party antivirus software
After successfully reaching this point, the LockBit sample would ultimately be
executed. Our detections of the domains that were created and the SocGholish
certificates that were used suggest the likelihood that the campaign began in
November 2021 and has persisted up to the present.
Conclusion
These investigations gave us the opportunity to learn more about SocGholish and
BLISTER loader. These cases highlight the continued evolution of threats that
are made to evade detection. Notably, we observed evasive tactics like masking a
tampered DLL as legitimate and placing shell code temporarily to sleep.
Organizations should also take note of the continuing trend of using Cobalt
Strike in targeting victim entities and living-off-the-land binaries (LOLBins)
to blend in with the environment.
For these cases, close monitoring and prompt detection prevented all that was
described here from coming to pass. Early containment and mitigation are
essential to cut off more damaging attacks that compromise environments, steal
data, or deploy ransomware.
Organizations should remain vigilant and ensure that they have solid
cybersecurity measures in place. These additional security recommendations can
also help them protect their assets from modern ransomware threats like
LockBit:
* Enabling multifactor authentication (MFA) can prevent malicious actors from
compromising user accounts as part of their infiltration process.
* Users should be wary of opening unverified emails. Embedded links should
never be clicked and attached files should never be opened without the proper
precautions and verification as these can kickstart the ransomware
installation process.
* Organizations should always adhere to the 3-2-1 rule: Create three backup
copies on two different file formats, with one of the backups in a separate
location.
* Patching and updating software and other systems at the soonest possible time
can address exploitable vulnerabilities that can lead to a ransomware
infection.
* Organizations can better protect themselves from ransomware attacks by
implementing multilayered security setups that combine elements such as the
automated detection of files and other indicators with constant monitoring
for the presence of weaponized legitimate tools in their IT environment.
New malware techniques are bound to emerge as threat actors attempt to breach
more systems. Organizations can defend themselves against such threats by using
multilayered detection and response solutions such as Trend Micro Vision One™, a
purpose-built threat defense platform that provides added value and new benefits
beyond extended detection and response (XDR) solutions. This technology provides
powerful XDR capabilities that collect and automatically correlate data across
multiple security layers — email, endpoints, servers, cloud workloads, and
networks — to prevent attacks via automated protection while also ensuring that
no significant incidents go unnoticed.
A list of the indicators of compromise (IOCs) can be found here.
Tags
Ransomware | Research | Articles, News, Reports | Cyber Threats
AUTHORS
* Earle Maui Earnshaw
Threats Analyst
* Mohamed Fahmy
Threat Intelligence Analyst
* Ian Kenefick
Threats Analyst
* Ryan Maglaque
Threats Analyst
* Abdelrhman Sharshar
Threat Intelligence Analyst
* Lucas Silva
Threat Analyst
Contact Us
Subscribe
RELATED ARTICLES
* Protecting S3 from Malware: The Cold Hard Truth
* Analyzing the Hidden Danger of Environment Variables for Keeping Secrets
* What Exposed OPA Servers Can Tell You About Your Applications
See all articles
RECOMMENDED FOR YOU
LOCKBIT RANSOMWARE GROUP AUGMENTS ITS LATEST VARIANT, LOCKBIT 3.0, WITH
BLACKMATTER CAPABILITIES
LEARN MORE
* Contact Sales
* Locations
* Careers
* Newsroom
* Trust Center
* Privacy
* Accessibility
* Support
* Site map
* linkedin
* twitter
* facebook
* youtube
* instagram
* rss
Copyright © 2022 Trend Micro Incorporated. All rights reserved.
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
This website uses cookies for website functionality, traffic analytics,
personalization, social media functionality and advertising. Our Cookie Notice
provides more information and explains how to amend your cookie settings.Learn
more
Cookies Settings Accept
English
Accessibility Adjustments
Reset Settings Statement Hide Interface
Choose the right accessibility profile for you
OFF ON
Seizure Safe Profile Clear flashes & reduces color
This profile enables epileptic and seizure prone users to browse safely by
eliminating the risk of seizures that result from flashing or blinking
animations and risky color combinations.
OFF ON
Vision Impaired Profile Enhances website's visuals
This profile adjusts the website, so that it is accessible to the majority of
visual impairments such as Degrading Eyesight, Tunnel Vision, Cataract,
Glaucoma, and others.
OFF ON
ADHD Friendly Profile More focus & fewer distractions
This profile significantly reduces distractions, to help people with ADHD and
Neurodevelopmental disorders browse, read, and focus on the essential elements
of the website more easily.
OFF ON
Cognitive Disability Profile Assists with reading & focusing
This profile provides various assistive features to help users with cognitive
disabilities such as Autism, Dyslexia, CVA, and others, to focus on the
essential elements of the website more easily.
OFF ON
Keyboard Navigation (Motor) Use website with the keyboard
This profile enables motor-impaired persons to operate the website using the
keyboard Tab, Shift+Tab, and the Enter keys. Users can also use shortcuts such
as “M” (menus), “H” (headings), “F” (forms), “B” (buttons), and “G” (graphics)
to jump to specific elements.
Note: This profile prompts automatically for keyboard users.
OFF ON
Blind Users (Screen Reader) Optimize website for screen-readers
This profile adjusts the website to be compatible with screen-readers such as
JAWS, NVDA, VoiceOver, and TalkBack. A screen-reader is software that is
installed on the blind user’s computer and smartphone, and websites should
ensure compatibility with it.
Note: This profile prompts automatically to screen-readers.
Content Adjustments
Content Scaling
Default
Readable Font
Highlight Titles
Highlight Links
Text Magnifier
Adjust Font Sizing
Default
Align Center
Adjust Line Height
Default
Align Left
Adjust Letter Spacing
Default
Align Right
Color Adjustments
Dark Contrast
Light Contrast
High Contrast
High Saturation
Adjust Text Colors
Cancel
Monochrome
Adjust Title Colors
Cancel
Low Saturation
Adjust Background Colors
Cancel
Orientation Adjustments
Mute Sounds
Hide Images
Read Mode
Reading Guide
Useful Links
Select an option Home Header Footer Main Content
Stop Animations
Reading Mask
Highlight Hover
Highlight Focus
Big Black Cursor
Big White Cursor
HIDDEN_ADJUSTMENTS
Keyboard Navigation
Accessible Mode
Screen Reader Adjustments
Read Mode
Web Accessibility Solution By accessiBe
Choose the Interface Language
English
Español
Deutsch
Português
Français
Italiano
עברית
繁體中文
Pусский
عربى
عربى
Nederlands
繁體中文
日本語
Polski
Türk
Accessibility StatementCompliance status
We firmly believe that the internet should be available and accessible to anyone
and are committed to providing a website that is accessible to the broadest
possible audience, regardless of ability.
To fulfill this, we aim to adhere as strictly as possible to the World Wide Web
Consortium’s (W3C) Web Content Accessibility Guidelines 2.1 (WCAG 2.1) at the AA
level. These guidelines explain how to make web content accessible to people
with a wide array of disabilities. Complying with those guidelines helps us
ensure that the website is accessible to blind people, people with motor
impairments, visual impairment, cognitive disabilities, and more.
This website utilizes various technologies that are meant to make it as
accessible as possible at all times. We utilize an accessibility interface that
allows persons with specific disabilities to adjust the website’s UI (user
interface) and design it to their personal needs.
Additionally, the website utilizes an AI-based application that runs in the
background and optimizes its accessibility level constantly. This application
remediates the website’s HTML, adapts its functionality and behavior for
screen-readers used by blind users, and for keyboard functions used by
individuals with motor impairments.
If you wish to contact the website’s owner please use the website's form
Screen-reader and keyboard navigation
Our website implements the ARIA attributes (Accessible Rich Internet
Applications) technique, alongside various behavioral changes, to ensure blind
users visiting with screen-readers can read, comprehend, and enjoy the website’s
functions. As soon as a user with a screen-reader enters your site, they
immediately receive a prompt to enter the Screen-Reader Profile so they can
browse and operate your site effectively. Here’s how our website covers some of
the most important screen-reader requirements:
1. Screen-reader optimization: we run a process that learns the website’s
components from top to bottom, to ensure ongoing compliance even when
updating the website. In this process, we provide screen-readers with
meaningful data using the ARIA set of attributes. For example, we provide
accurate form labels; descriptions for actionable icons (social media icons,
search icons, cart icons, etc.); validation guidance for form inputs;
element roles such as buttons, menus, modal dialogues (popups), and others.
Additionally, the background process scans all of the website’s images. It
provides an accurate and meaningful image-object-recognition-based
description as an ALT (alternate text) tag for images that are not
described. It will also extract texts embedded within the image using an OCR
(optical character recognition) technology. To turn on screen-reader
adjustments at any time, users need only to press the Alt+1 keyboard
combination. Screen-reader users also get automatic announcements to turn
the Screen-reader mode on as soon as they enter the website.
These adjustments are compatible with popular screen readers such as JAWS,
NVDA, VoiceOver, and TalkBack.
2. Keyboard navigation optimization: The background process also adjusts the
website’s HTML and adds various behaviors using JavaScript code to make the
website operable by the keyboard. This includes the ability to navigate the
website using the Tab and Shift+Tab keys, operate dropdowns with the arrow
keys, close them with Esc, trigger buttons and links using the Enter key,
navigate between radio and checkbox elements using the arrow keys, and fill
them in with the Spacebar or Enter key.
Additionally, keyboard users will find content-skip menus available at any
time by clicking Alt+2, or as the first element of the site while navigating
with the keyboard. The background process also handles triggered popups by
moving the keyboard focus towards them as soon as they appear, not allowing
the focus to drift outside.
Users can also use shortcuts such as “M” (menus), “H” (headings), “F”
(forms), “B” (buttons), and “G” (graphics) to jump to specific elements.
Disability profiles supported on our website
* Epilepsy Safe Profile: this profile enables people with epilepsy to safely
use the website by eliminating the risk of seizures resulting from flashing
or blinking animations and risky color combinations.
* Vision Impaired Profile: this profile adjusts the website so that it is
accessible to the majority of visual impairments such as Degrading Eyesight,
Tunnel Vision, Cataract, Glaucoma, and others.
* Cognitive Disability Profile: this profile provides various assistive
features to help users with cognitive disabilities such as Autism, Dyslexia,
CVA, and others, to focus on the essential elements more easily.
* ADHD Friendly Profile: this profile significantly reduces distractions and
noise to help people with ADHD, and Neurodevelopmental disorders browse,
read, and focus on the essential elements more easily.
* Blind Users Profile (Screen-readers): this profile adjusts the website to be
compatible with screen-readers such as JAWS, NVDA, VoiceOver, and TalkBack. A
screen-reader is installed on the blind user’s computer, and this site is
compatible with it.
* Keyboard Navigation Profile (Motor-Impaired): this profile enables
motor-impaired persons to operate the website using the keyboard Tab,
Shift+Tab, and the Enter keys. Users can also use shortcuts such as “M”
(menus), “H” (headings), “F” (forms), “B” (buttons), and “G” (graphics) to
jump to specific elements.
Additional UI, design, and readability adjustments
1. Font adjustments – users can increase and decrease its size, change its
family (type), adjust the spacing, alignment, line height, and more.
2. Color adjustments – users can select various color contrast profiles such as
light, dark, inverted, and monochrome. Additionally, users can swap color
schemes of titles, texts, and backgrounds with over seven different coloring
options.
3. Animations – epileptic users can stop all running animations with the click
of a button. Animations controlled by the interface include videos, GIFs,
and CSS flashing transitions.
4. Content highlighting – users can choose to emphasize essential elements such
as links and titles. They can also choose to highlight focused or hovered
elements only.
5. Audio muting – users with hearing devices may experience headaches or other
issues due to automatic audio playing. This option lets users mute the
entire website instantly.
6. Cognitive disorders – we utilize a search engine linked to Wikipedia and
Wiktionary, allowing people with cognitive disorders to decipher meanings of
phrases, initials, slang, and others.
7. Additional functions – we allow users to change cursor color and size, use a
printing mode, enable a virtual keyboard, and many other functions.
Assistive technology and browser compatibility
We aim to support as many browsers and assistive technologies as possible, so
our users can choose the best fitting tools for them, with as few limitations as
possible. Therefore, we have worked very hard to be able to support all major
systems that comprise over 95% of the user market share, including Google
Chrome, Mozilla Firefox, Apple Safari, Opera and Microsoft Edge, JAWS, and NVDA
(screen readers), both for Windows and MAC users.
Notes, comments, and feedback
Despite our very best efforts to allow anybody to adjust the website to their
needs, there may still be pages or sections that are not fully accessible, are
in the process of becoming accessible, or are lacking an adequate technological
solution to make them accessible. Still, we are continually improving our
accessibility, adding, updating, improving its options and features, and
developing and adopting new technologies. All this is meant to reach the optimal
level of accessibility following technological advancements. If you wish to
contact the website’s owner, please use the website's form
Hide Accessibility Interface? Please note: If you choose to hide the
accessibility interface, you won't be able to see it anymore, unless you clear
your browsing history and data. Are you sure that you wish to hide the
interface?
Accept Cancel
Continue
Processing the data, please give it a few seconds...
AddThis Sharing Sidebar
Share to FacebookFacebookShare to TwitterTwitterShare to PrintPrintMore AddThis
Share optionsAddThis
5
SHARES
Hide
Show
Close
AddThis