As you can see this campaign started on May 9, about a week ago. It infected a number of different websites, primarily web-based forums. The most interesting victims so far are jscfcu.org and uvnc.com .
First one is a Credit Union in Texas – JSC FCU has been around for 50 years and has grown to serve 123,000+ members and 2,000+ Community Business Partners (CBPs) throughout the greater Houston Area. Here is the screenshot of this Credit Union website.
The second victim – UltraVNC.com is even more interesting. UltraVNC is one of the most popular remote desktop programs for remote administration. It is similar to TeamViewer, pcAnywhere or LogMeIn. It allows the use of a remote computer as if the user were in front of it.
In computing, Virtual Network Computing (VNC) is a graphical desktop sharing system that transmits the keyboard and mouse events from one computer to another, relaying the graphical screen updates back in the other direction, over a network. With over a billion copies, VNC is a de facto standard for remote control. VNC has been used widely in hundreds of different products and applications, from helpdesks to virtualization. VNC is available on a vast variety of desktops, mobile and embedded platforms and is the most widely ported application software. It is an official part of the Internet standard protocols, defined in RFC 6143. UltraVNC runs on ports 5900 and 5800 by default.
The impact of UltraVNC website being compromised is significant, because many technical users go to this website to download VNC client to troubleshoot their friend, family or clients PCs. As the website seems to be controlled by the attackers, it is possible that VNC software has been replaced by a trojan as well. Note, we have seen uvnc.com compromised before, in fact 6 more times this year alone:
|uvnc.com redirected to specialist-foods.co.uk||Mar 12, 2016|
|uvnc.com redirected to insurancespecialistnetwork.com||Feb 14, 2016|
|uvnc.com redirected to k-1.rriomirok.xyz||Feb 6, 2016|
|uvnc.com redirected to 128.ipav-anspid.club||Jan 27, 2016|
|uvnc.com redirected to 98215-61335.xyz||Jan 11, 2016|
|uvnc.com redirected to meik-snorami.xyz||Jan 4, 2016|
The infected chain in all of the cases in this campaign is as follows:
|hacked||infected site, e.g. uvnc.com|
|—-> Angler payload||xxxxx .co.uk/xxxxx|
Here is the screenshot of the JS code used in bootstrapcdn.org redirector.
Here is the screenshot of the Angler JS code used in xxx.co.uk/xxx payload pages.
It is of interest to note that the use of .co.uk domains by malicious actors increased by ~150% year-over-year in 2016. We believe that rather than registering new .co.uk domains, attackers likely compromised the co.uk registrars customers accounts to add additional subdomain DNS pointers.
Example: specialist-foods.co.uk is a legitimate commercial website, zunickender.specialist-foods.co.uk is a hacker subdomain pointing to Angler Exploit it.
Before posting this blog, we have notified the owners of the websites in question, wherever possible. I would like to thank Alex Burt who helped with the analysis of malware traffic for this campaign.