"Watering hole" is gaining momentum, the queue for nbc.com
It seems that the beginning of 2013 will remain in our memory as a period of time, which accounted for a large number of attacks related to the compromise of the web resources of major publications. This time we are talking about nbc.com, a web resource that is the official website of the American company NBC. Recall that the compromise of their electronic publications said earlier such authoritative publications as The Wall Street Journal, NY Times, Washington Post. True, in these cases, according to official statements, it was not about “watering hole”, but about the compromising of the internal networks of companies and their servers to obtain confidential information.
Today we want to talk about the attack on nbc.com.
With the help of ESET Live Grid, we recorded the first signs of infection on the web site on February 20, at about 5 pm (Central European Time). After that, before noon on the 21st, we observed a long break in activity. In this regard, it is not clear whether the site was infected during all this time or not. The web pages may have been infected with malicious content for some time, but the links that were in this code pointed to a location that does not exist (in this case, our tracking systems could not fix the malicious content).
')
The attacks on the website were aimed at introducing a malicious iframe that redirected page visitors to the exploit recruitment page. In this case, the attackers used the RedKit exploit kit.
Fig. Embedded iframe.
We recorded several different websites that were compromised by this iframe. During the investigation process, ESET constantly updated the list of such malicious web pages.
During this attack, that is, until the website was compromised, ESET antivirus products blocked access to it. When control of the site was restored and the malicious content was removed, we unblocked access to the site. It is worth noting that access to it was also blocked by Google and Facebook (Facebook did not allow to post on the wall, which contained a link to the site).
Several other sites are still infected and users put themselves at risk by visiting them. They will remain blocked until they are cleared of malicious content. When a user attempts to visit a compromised resource that was on the blocked list, ESET Smart Security displays the following message.
In this case, ESET warns the user that the web page contains malicious content that points to the RedKit suite page.
Fig. Exploit kit page.
An exploit attempts to upload multiple files to an infected machine. Not surprisingly, these files are of malicious origin. One of the downloads is a downloader, which we define as Win32 / TrojanDownloader.Vespula.AY , another malicious object is defined as Trojan.JS / Exploit.Agent.NCX .
Today we want to talk about the attack on nbc.com.
With the help of ESET Live Grid, we recorded the first signs of infection on the web site on February 20, at about 5 pm (Central European Time). After that, before noon on the 21st, we observed a long break in activity. In this regard, it is not clear whether the site was infected during all this time or not. The web pages may have been infected with malicious content for some time, but the links that were in this code pointed to a location that does not exist (in this case, our tracking systems could not fix the malicious content).
')
The attacks on the website were aimed at introducing a malicious iframe that redirected page visitors to the exploit recruitment page. In this case, the attackers used the RedKit exploit kit.
Fig. Embedded iframe.
We recorded several different websites that were compromised by this iframe. During the investigation process, ESET constantly updated the list of such malicious web pages.
During this attack, that is, until the website was compromised, ESET antivirus products blocked access to it. When control of the site was restored and the malicious content was removed, we unblocked access to the site. It is worth noting that access to it was also blocked by Google and Facebook (Facebook did not allow to post on the wall, which contained a link to the site).
Several other sites are still infected and users put themselves at risk by visiting them. They will remain blocked until they are cleared of malicious content. When a user attempts to visit a compromised resource that was on the blocked list, ESET Smart Security displays the following message.
In this case, ESET warns the user that the web page contains malicious content that points to the RedKit suite page.
Fig. Exploit kit page.
An exploit attempts to upload multiple files to an infected machine. Not surprisingly, these files are of malicious origin. One of the downloads is a downloader, which we define as Win32 / TrojanDownloader.Vespula.AY , another malicious object is defined as Trojan.JS / Exploit.Agent.NCX .
Source: https://habr.com/ru/post/170459/
All Articles