It is a common fact that hackers often use exploit kits to locate vulnerabilities in the systems and infect users with malware.
What an exploit kit does is to open a medium for cyber criminals to communicate with your system and to feed codes which include different types of commands. These kits cost lots of money in the underground economy and one of the most notorious among them is the popular Angler Exploit Kit.
One of the latest victim of the Angler Exploit Kit is named ‘Burrp’. This is a famous local food and restaurant recommendation website which is based in India.
Burrp was compromised to redirect users to the Angler exploit kit in order to deliver the TeslaCrypt ransomware. Hackers infected users’ computers, encrypted their files and demanded a ransom for decrypting the files.
Since the beginning of February, the website has been redirecting users to the exploit kit. Being notified on this issue, Burrp has stated that it is working to resolve it. Most of the users who have been impacted by this attack are based in USA and India.
This is the way the attacks work:
1. Injecting malicious code
Cyber criminals compromised Burrp by injecting code into one of the site’s JavaScript files. As soon as a user clicks on this code they get redirected to a malicious site with “megaadvertize” in the URL.
2. Script received from the exploit kit’s server
After that, the script sends a POST request to the same remote location. The response to this request includes a file that redirects users to the Angler exploit kit landing page.
3. Angler attempts to exploit the vulnerabilities
In case the exploit succeeds, the TeslaCrypt payload is dropped onto the virtual machine. If the exploit doesn’t work, then the kit drops another file with a different type of exploit to download TeslaCrypt onto the computer.
4. TeslaCrypt in action
Being installed on the computer, TeslaCrypt writes an executable file to memory, which carries the Trojan’s main functionality. After that, the Trojan drops the ransom message into every folder with encrypted files. The notice demands that the user pays in bitcoins in order to obtain the decryption key and restore the encrypted data.
