Read the original article: Maimed Ramnit Still Lurking in the Shadow
Newspapers have the ability to do more than simply keep us current
with worldly affairs; we can use them to squash bugs! Yet, as we move
from waiting on the newspaper delivery boy to reading breaking news on
ePapers, we lose the subtle art of bug squashing. Instead, we
end up exposing ourselves to dangerous digital bugs that can affect
our virtual worlds.
This is exactly what happened to visitors of one of the top five
news sites of China. Any users running Internet Explorer (IE) who
navigated to the website may have been exposed to an old, yet
persistent VBScript worm that has the ability to self-replicate
recursively from infected machines. Incidentally, the major actors
involved with this old campaign have been taken down, yet traces of
their injected recursive malware have still managed to sneak on to one
of the highest browsed sites in China.
The FireEye
Dynamic Threat Intelligence (DTI) first discovered that the site
was compromised and used to host VBS/Ramnit on Jan. 28, 2016. We can
confirm that the infection is still live as of the time of this
writing. IE users who visit the site may be compromised if they browse
to a specific page (paperindex[.]htm) and click ‘Yes’ to run ActiveX,
which may appear to be safe since the website is familiar and popular.
There is no exploit used for infection, simply social engineering and
errant clicks.
As shown in Figure 1, a malicious VBScript is appeneded after the
HTML body. Upon landing on this page, the victim’s browser will load
the news content while it executes a malicious ActiveX component in
the background.
Figure 1: Legitimate HTML page appended with
malicious VBScript
As shown in Figure 2 and Figure 3, the VBScript drops a binary named
“svchost.exe” in the %TEMP% folder and executes it upon successful
ActiveX execution. In a case where the system is compromised, it also
tries to connect to a CnC server, fget-career[.]com, which has been
involved in campaigns for this trojan before.
Figure 2: The VBScript drops the binary in the
%TEMP% folder and executes it
Figure 3: The full path to “svchost.exe” (using
Internet Explorer 11 on Windows 7)
Successful execution of the VBScript and the delivery of W32.Ramnit
onto the victim’s machine depends on the user’s browser, as well as
the browser’s setting. Since Chrome and Firefox do not support
client-side VBScript, only IE users are susceptible to this attack.
Fortunately, recent versions of IE do not run code automatically by
default. Instead, users will see two popup warnings when the browser
is rendering potentially dangerous objects such as ActiveX components,
as shown in Figure 4 and Figure 5.
Figure 4: First warning for blocked content in
IE 11
Figure 5: Second warning for blocked content in
IE 11
Only when the victim clicks on “Yes” will the browser execute the
blocked content. In this case, the IE executes the VBScript, drops the
payload, and executes it in the background while the user simply sees
the usual news page.
As long as users click “No” to disallow ActiveX components, they
will remain safe from W32.Ramnit. However, this type of social
engineering continues to be successful. When a legitimate site is
compromised to host exploits or malware, the positive reputation of
the site is leveraged to trick users into clicking “Yes” and becoming
infected. The potential impact of this particular threat is compounded
by the fact that the compromised site is ranked in the Alexa Top 100
for most visited sites internationally, and is in the Top 25 for most popular
websites in China [1].
FireEye appliances detect this infection at multiple levels.
FireEye’s multiflow detection traces out the complete attack chain, as
well as CnC communication. While the CnC host has been suspended for a
long time, the worm’s presence alone can be a pain for the victim
because it adds itself into all HTML files that it can access.
Additionally, it adds itself to the startup registry and impacts the
machine’s performance.
So the question that you need to ask yourself is this: If a Top 100
Alexa domain is still infected by this veteran malware, are you?
Read the original article: Maimed Ramnit Still Lurking in the Shadow