Update: The incident has been taken care of by Cosmos Bank and its website (URL) is now clean and safe to use.
Compromising popular websites has become a common strategy for attackers to spread infection in a widespread fashion. Attackers exploit unpatched vulnerabilities present on web servers in order to compromise websites. In addition to this, brute forcing login credentials for web admin consoles or FTPs (File Transfer Protocol) is also a preferred way for attackers to gain illegal access to web servers. By using all such techniques, attackers compromise websites and redirect users to other malicious websites.
This blog post discusses how the website of a popular bank in India, the Cosmos Bank, was compromised with the infamous RIG Exploit Kit. The bank’s website ‘https://www.cosmosbank[.]com’ was infected with the RIG Exploit Kit which was delivering the Cerber Ransomware. At Quick Heal Threat Research Labs, we were able to reproduce the series of events that lead to this attack on 20th March 2017. Also, upon tracing back to the recorded logs, it was observed that the infection has been present on the website from 17th March 2017 till date. The bank was notified about the infection on 20th March 2017.
Here’s how it all happened
The below diagram represents a graphical explanation about how this infection took place.
- Compromised domain: www.cosmosbank[.]com (port 443)
- RIG EK Landing Page domain: rew.bdwtesting[.]net (188.8.131.52)
- Cerber Post Infection domain: p27dokhpz2n7nvgr.1js3tl[.]top (184.108.40.206)
The infection was spotted on the index page of the Cosmos Bank website. An iframe was injected at the top of the web page, which was redirecting it to a RIG Exploit Kit landing page. The RIG Exploit Kit domain was “rew.bdwtesting[.]net”. The infection is a part of the pseudo-Darkleech campaign (a long-running campaign that uses exploit kits (EKs) to deliver malware).
After de-obfuscation of the landing page, the exploit kit launches an Adobe Flash exploit.
The Flash exploit payload looks like this.
Upon successful exploitation of Flash, the exploit code drops the Cerber Ransomware on the victim’s machine, which is followed by a ransom note as shown below.
The post-infection activity of the ransomware is shown below.
The Anti-Ransomware and Behavior Based Detection features of Quick Heal and Seqrite products successfully detected the Cerber Ransomware discussed in this blog post.
Indicator of Compromise (IOCs)
rew.bdwtesting[.]net (RIG Exploit Kit)
p27dokhpz2n7nvgr.1js3tl[.]top (Cerber CnC)
8B778E29C7651404A39117B61C4EC8B6 (SWF, Adobe Flash Exploit)
08B921E9749B2C0EF720F84BBB0E5CF5 (EXE, Cerber Ransomware)
Unpatched web servers (web servers that are not applied with the latest software updates) are being targeted by cybercriminals who launch complex attacks where they make use of exploit kits as shown in this particular incident. The RIG Exploit Kit is being heavily used to compromise websites in order to deliver ransomware. We strongly recommend users to update their Windows Operating Systems with the latest security patches and use security solutions such as Quick Heal or Seqrite which has multiple layers of security to fend off such threats.
Subject Matter Experts
- Vishal Singh
- Vishal Dodke
- Pradeep Kulkarni
– Threat Research and Response Team