A brand new Angler exploit kit campaign is targeting Sexting Forum and 18 other websites.
Cyphort Labs claims that the initiative uses the bootstrapcdn.org redirector and transfers users to malicious payloads hosted on .co.uk websites.
“This is not malvertising, instead the websites are compromised directly (likely via FTP password theft) and redirect using an embedded SCRIPT tag,” Cyphort’s Nick Bilogorskiy said.
The drive-by exploits are affecting a wide variety of websites, including a Smith & Wesson discussion forum, an “Army Recognition” site, and a leading credit union in Houston (JSC FCU has been around for 50 years and has grown to serve 123,000+ members and 2,000+ Community Business Partners (CBPs) throughout the greater Houston area).
Apart from the above-mentioned, there is a website offering bloggers visitor stats and the like, as well as UltraVNC.com – one of the most popular desktop programs for remote administration, which is similar to LogMeIn, pcAnywhere or TeamViewer.
Unfortunately, these websites have a wide reach. For example, lots of technical users go to UltraVNC website to download VNC client to troubleshoot their friends’, family or clients’ computers.
“In computing, virtual network computing (VNC) is a graphical desktop sharing system that transmits the keyboard and mouse events from one computer to another, relaying the graphical screen updates back in the other direction, over a network,” explained Bilogorskiy.
“With over a billion copies, VNC is a de facto standard for remote control. VNC has been used widely in hundreds of different products and applications, from helpdesks to virtualization.”
“As the website seems to be controlled by the attackers, it is possible that VNC software has been replaced by a trojan as well,” Nick Bilogorskiy said.
The new Angler exploit kit campaign started on May 9 and it is currently ongoing. It is also the latest one in a series of drive-bys.
“It is of interest to note that the use of .co.uk domains by malicious actors increased by ~150% year-over-year in 2016,” Bilogorskiy said.
“We believe that rather than registering new .co.uk domains, attackers likely compromised the co.uk registrars customers’ accounts to add additional subdomain DNS pointers. Example: specialist-foods.co.uk is a legitimate commercial website, zunickender.specialist-foods.co.uk is a hacker subdomain pointing to Angler EK.”