As you can see this campaign started on May 9, about a week ago. It infected a number of different websites, primarily web-based forums. The most interesting victims so far are jscfcu.org and uvnc.com .

First one is a Credit Union in Texas – JSC FCU has been around for 50 years and has grown to serve 123,000+ members and 2,000+ Community Business Partners (CBPs) throughout the greater Houston Area. Here is the screenshot of this Credit Union website.

 creditunion1

 

The second victim – UltraVNC.com is even more interesting. UltraVNC is one of the most popular remote desktop programs for remote administration. It is similar to TeamViewer, pcAnywhere or LogMeIn. It allows the use of a remote computer as if the user were in front of it.  

 

In computing, Virtual Network Computing (VNC) is a graphical desktop sharing system that transmits the keyboard and mouse events from one computer to another,  relaying the graphical screen updates back in the other direction, over a network.  With over a billion copies, VNC is a de facto standard for remote control. VNC has been used widely in hundreds of different products and applications, from helpdesks to virtualization. VNC is available on a vast variety of desktops, mobile and embedded platforms and is the most widely ported application software. It is an official part of the Internet standard protocols, defined in RFC 6143. UltraVNC runs on ports 5900 and 5800 by default.

vnc11

 

The impact of UltraVNC website being compromised is significant, because many technical users go to this website to download VNC client to troubleshoot their friend, family or clients PCs. As the website seems to be controlled by the attackers, it is possible that VNC software has been replaced by a trojan as well. Note, we have seen uvnc.com compromised before, in fact 6 more times this year alone:

 uvnc.com redirected to  specialist-foods.co.uk   Mar 12,  2016
 uvnc.com  redirected to  insurancespecialistnetwork.com  Feb 14, 2016
 uvnc.com  redirected to k-1.rriomirok.xyz  Feb 6, 2016
 uvnc.com  redirected to 128.ipav-anspid.club  Jan 27, 2016
 uvnc.com  redirected to  98215-61335.xyz  Jan 11, 2016
 uvnc.com  redirected to meik-snorami.xyz  Jan 4, 2016

 

The infected chain in all of the cases in this campaign is as follows: 

 hacked   infected site, e.g. uvnc.com
 –> redirector   ui.bootstrapcdn.org
 —->  Angler payload    xxxxx .co.uk/xxxxx

 

Here is the screenshot of the JS code used in bootstrapcdn.org redirector.

redirector11

 

Here is the screenshot of the Angler JS code used in xxx.co.uk/xxx payload pages.

redirector0

 

It is of interest to note that the use of .co.uk domains by malicious actors increased by ~150% year-over-year in 2016. We believe that rather than registering new .co.uk domains, attackers likely compromised the co.uk registrars customers accounts to add additional subdomain DNS pointers. 

co.uk1

 

Example: specialist-foods.co.uk is a legitimate commercial website, zunickender.specialist-foods.co.uk is a hacker subdomain pointing to Angler Exploit it.

Before posting this blog, we have notified the owners of the websites in question, wherever possible. I would like to thank Alex Burt who helped with the analysis of malware traffic for this campaign.