Bestehen Bedenken im Hinblick auf VPN-Sicherheitslücken? Erfahren Sie, wie Sie von unserem VPN-Migrationsangebot inklusive 60 Tagen kostenlosem Service profitieren können.

Zscaler Blog

Erhalten Sie die neuesten Zscaler Blog-Updates in Ihrem Posteingang

Abonnieren
Security Research

BESCOM users being redirected to RIG EK

image
ROHIT HEGDE
September 13, 2017 - 2 Lesezeit: Min

BESCOM (Bangalore Electricity Supply Company Limited) is responsible for power distribution in eight districts of the Indian state Karnataka. The total area is roughly 15,900 square miles and serves a population of roughly 20 million people.

Zscaler ThreatLabZ researchers recently discovered that malicious actors strategically placed malicious redirects on the bill payment page of the BESCOM portal. These redirects were active on 11 September 2017 and made the website unusable.

We also observed redirects to the RIG exploit kit (EK) coming from bescom[.]org/en/paybill/, which was sending users to the RIG landing page URL, below:

188.225.82[.]40/?NTU4NzYx&party=UDVXgiUfTfABgyYxZBggX8v37h0XQzkOYhp7X-.....

Image

Figure 1: RIG EK redirect hits from bescom[.]org/en/paybill/

Subsequent attempts to load bescom[.]org/en/paybill resulted in redirects to cryptocurrency scam sites and YouTube videos for cryptocurrency scams.

The redirect occurs because of a meta refresh tag on the BESCOM page, which, in this instance, redirects users to http://btc100x[.]rocks.

Image

Figure 2:  btc100x[.]rocks redirect

The second redirect we observed was to a YouTube video scam encouraging users to transfer their Bitcoins in order to multiply them. The redirect and the screenshot of the video can be seen below.

Image

Figure 3: Scam YouTube video redirect

Image

Figure 4: Scam YouTube video

Overview of the RIG EK cycle at 188.225.82[.]40

When we tested the RIG redirect we found that it was still active.

Image

Figure 5: Capture of RIG cycle from the redirected IP

The obfuscated JavaScript can be seen below.

Image

Figure 6: Obfuscated JavaScript on the RIG EK landing page

This redirect leads to a download of a Flash file which fingerprints the system to determine whether it is vulnerable. A snippet of decompiled Flash is shown in the following image.

Image

Figure 7: Decompiled Flash file

The payload that was downloaded is shown below.

Image

Figure 8: Malware payload download attempt

The payload fails during execution and throws an error message.

Image

Figure 9: Failed malware execution

Indicators of compromise (IoCs):

IP Address: 188.225.82[.]40

                       188.225.82[.]43

Conclusion

Zscaler ThreatLabZ notified BESCOM of the compromise on September 11, 2017, and, while we did not receive any response, it appears that the company was quick to remediate the issue. Zscaler ThreatLabZ is actively monitoring this campaign to ensure protection for Zscaler customers.

form submtited
Danke fürs Lesen

War dieser Beitrag nützlich?

dots pattern

Erhalten Sie die neuesten Zscaler Blog-Updates in Ihrem Posteingang

Mit dem Absenden des Formulars stimmen Sie unserer Datenschutzrichtlinie zu.