As you can see this campaign started on May 9, about a week ago. It infected a number of different websites, primarily web-based forums. The most interesting victims so far are and .

First one is a Credit Union in Texas – JSC FCU has been around for 50 years and has grown to serve 123,000+ members and 2,000+ Community Business Partners (CBPs) throughout the greater Houston Area. Here is the screenshot of this Credit Union website.



The second victim – is even more interesting. UltraVNC is one of the most popular remote desktop programs for remote administration. It is similar to TeamViewer, pcAnywhere or LogMeIn. It allows the use of a remote computer as if the user were in front of it.  


In computing, Virtual Network Computing (VNC) is a graphical desktop sharing system that transmits the keyboard and mouse events from one computer to another,  relaying the graphical screen updates back in the other direction, over a network.  With over a billion copies, VNC is a de facto standard for remote control. VNC has been used widely in hundreds of different products and applications, from helpdesks to virtualization. VNC is available on a vast variety of desktops, mobile and embedded platforms and is the most widely ported application software. It is an official part of the Internet standard protocols, defined in RFC 6143. UltraVNC runs on ports 5900 and 5800 by default.



The impact of UltraVNC website being compromised is significant, because many technical users go to this website to download VNC client to troubleshoot their friend, family or clients PCs. As the website seems to be controlled by the attackers, it is possible that VNC software has been replaced by a trojan as well. Note, we have seen compromised before, in fact 6 more times this year alone: redirected to   Mar 12,  2016  redirected to  Feb 14, 2016  redirected to  Feb 6, 2016  redirected to  Jan 27, 2016  redirected to  Jan 11, 2016  redirected to  Jan 4, 2016


The infected chain in all of the cases in this campaign is as follows: 

 hacked   infected site, e.g.
 –> redirector
 —->  Angler payload    xxxxx


Here is the screenshot of the JS code used in redirector.



Here is the screenshot of the Angler JS code used in payload pages.



It is of interest to note that the use of domains by malicious actors increased by ~150% year-over-year in 2016. We believe that rather than registering new domains, attackers likely compromised the registrars customers accounts to add additional subdomain DNS pointers. 



Example: is a legitimate commercial website, is a hacker subdomain pointing to Angler Exploit it.

Before posting this blog, we have notified the owners of the websites in question, wherever possible. I would like to thank Alex Burt who helped with the analysis of malware traffic for this campaign.