menu

Contact Us

1 (800) 723-1166 |

Exploit

HomeExploit
HomeExploit

Zeus Panda Delivered By Sundown - Targets UK Banks

Last week we noticed that Sundown Exploit Kit (EK) was distributing a banking trojan. Upon further investigation we discovered that the banking trojan was a new version of Zeus Panda. This malware has previously been delivered by the Angler, Nuclear and Neutrino EKs.

Sundown EK Landing Page

The Sundown EK landing page obfuscation has undergone several evolutions recently, indicating that the developer is highly active. An example of the landing page from July 25, 2016 was as below.

Uncovering A Malicious Traffic Direction System (Blackhat-TDS)

Recently an actor has been using domains like realstatistics[.]info to direct users to exploit kits. These domains are injected as scripts into compromised websites, resulting in drive-by attacks on browsers. The domains are used as Traffic Direction Systems (TDS) which determine whether or not a target is of interest and should be sent to the malicious site or not.

RIG Exploit Kit Makes A Sprash In Russia

The very popular Russian site Sprashivai[.]ru has been compromised and is silently redirecting users to the RIG Exploit Kit (EK). During our analysis we saw RIG EK drop the SmokeLoader (aka Dofoil) malware.

Highly Popular Anime Site Jkanime Compromised - Redirecting Users to Neutrino EK

On June 20, 2016 the popular anime site Jkanime was injected with malicious code that was silently redirecting users to Neutrino Exploit Kit (EK). During our analysis Neutrino EK dropped and executed the CryptXXX 3.0 crypto-ransomware, and we were requested to pay 1.2 BitCoin (approximately $888 USD) in order to get our files back.

Angler Exploit Kit's Last Heartbeat? [UPDATE: 15/JUN/2016]

Angler Exploit Kit (EK), one of the most advanced and prevalent exploit kits, appears to no longer be active. Only this month it was reported that Angler had introduced a new bypass for Microsoft's EMET so the sudden disappearance of the kit is unexpected.

MissMalini Celebrity Site Awards Admedia Gate & Angler Exploit Kit during the Oscars

On 29/FEB/16 Forcepoint researchers saw that the popular entertainment news site missmalini[.]com was compromised and redirecting to a malicious web site. The timing coincides with awards ceremonies such as The Oscars, so users are likely to be searching for celebrity news. The infection chain we analysed resulted in our system being silently exploited by Angler Exploit Kit (EK). The Teslacrypt crypto-ransomware was then dropped and executed on our test machine.

Top 20 Airline Travel Site Yatra.com Victim to Malvertizing Attack - Redirects Users to Angler EK & Bedep Malware

The popular airline travel site yatra[.]com is currently (01 Feb 2016) redirecting users to Angler Exploit Kit (EK) via a compromised advertising script. The millions of users per month browsing to the yatra[.]com homepage are currently exposed to being redirected to code that silently drops and executes malware in the background by exploiting one of the latest Flash Player vulnerabilities.

Compromised Site

Popular Site Leads To Angler EK & CVE-2015-8651 Flash Player Exploit

Forcepoint Security Labs™ identified this week that a well known transport company's website had been compromised.  We discovered that it was redirecting users to Angler Exploit Kit (EK).  Forcepoint informed the company who were quick to respond and address the issue. Users browsing to the site were exposed to malware being silently dropped onto their system and executed in the background. When we analyzed the infection we saw that users were being redirected to Angler EK which was then exploiting CVE-2015-8651, affecting Adobe Flash Player versions up to 20.0.0.228 and 20.0.0.235.

Public Holidays Website Leads to RIG EK & Drive-by Download of Qakbot Malware

It is the beginning of 2016.  Most of us will be building our calendars around the year's public holidays. Many of us would of course use Google search to find these dates. But browsers beware, because one of the top results may result having your credentials and monies stolen by malware. The website in question: officeholidays[.]com, has been compromised and leads users to RIG exploit kit (EK).

Compromised Website

An Early Christmas Present Exploits CVE-2015-8446 and Drops CryptoWall 4.0

Today, we came across a website providing free Christmas graphics along with an early but unwanted Christmas present. The website christmas-graphics-plus[.]com is injected with malicious code that leads users on a virtual sleigh ride to Angler Exploit Kit (EK) and drops the new CryptoWall 4.0 ransomware. If you were to visit this grotto, then all of your documents would be encrypted and held to ransom - including your Christmas card address book. The real Nightmare Before Christmas.

Pages