On Friday Apr 6 2016, at 07:18:59 PDT, Cyphort Labs discovered that yourstory.com was infected with an exploit kit and was serving Locky ransomware. In this drive-by infection, the malware was encrypting the victim’s files as well as any file it could reach over file shares. A ransom note would then open on screen instructing the victim to pay up in bitcoins rapidly or risk seeing the ransom amount double.
Yourstory is a leading India technology communication company. On its web site, it shares entrepreneurial and startup stories from its readership and receives more than 150,000 daily visitors. The site was ranked 3,078 globally on Alexa top ranking sites on the day of the infection. In India, it is ranked 271.
Cyphort immediately contacted the site owners and shared information necessary for them to put an end to the infection spread. As of the next day, the site was no longer spreading malware.
Yourstory has configured openx Adserver on their server to manage their ads. During our analysis we have found out that the openx.yourstory.com contained an injected IFRAME which was leading the victim to an intermediate redirection server which will eventually redirect the victim to Angler exploit kit’s landing page, which will exploit the user’s browser and drop the malware!
Infection Chain Analysis
Following fiddler session shows the first stage iframe injection in the home page of openx.yourstory.com.
Further down the exploit chain, the first stage redirector will have one more iframe which will redirect the victim’s browser to the exploit kit’s landing page.
While analyzing the landing page and URI pattern, we have found that the infection has been performed by the well-known Angler exploit kit. The EK’s landing page is highly obfuscated. The exploit kit performs multiple checks for installed software, drivers, operating system etc to perform precise exploitation. Since we are much familiar of Angler EK’s internals, we have quickly de-obfuscated and dissected its landing page to extract the shellcode and exploit dropper.
In this screenshot you will see the Flash exploit dropper URL and FlashVars which will be the argument to the flash exploit.
Following screenshots shows the extracted FlashVars :
We have also found that Angler also carries IE exploit with CVE-2014-6332 deep inside the landing page. Following screenshot shows how it triggers the vulnerability through VBscript.
The above mentioned exploit is successfully exploiting the browser and infecting the victim with Locky ransomware.
Avoid Ransomware Infection
Ransomware is very damaging and we recommend the following best practices:
- Keep your system and applications patched in a timely fashion goes a long way in protecting you from drive-by infection. Most of the modern OS and applications offer automatic updates, power to the defenders.
- Stop wondering around on the web if you can. When you do need to visit some sites, doing so from a non-Windows platform may reduce your chance of infection, at least until the bad actors start to target non-Windows endpoints more.
- Enterprises should adopt the new defense paradigm with a continuous monitoring, diagnostics, and mitigation approach; implement education and threat intelligence sharing so that employees are warned off of infection web sites.
- Have backups handy, and preferably not on drives constantly connected to the computers.
I would like to thank Alex Burt and Paul Kimayong for their help.