Zscaler to Expand Zero Trust Exchange Platform's AI Cloud with Data Fabric Purpose-built for Security

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

Abuse of hidden “well-known” directory in HTTPS sites

image
MOHD SADIQUE
March 26, 2019 - 12 min read

WordPress and Joomla are among the most popular Content Management Systems (CMSs). They have also become popular for malicious actors, as cybercriminals target sites on these platforms for hacking and injecting malicious content. During the past few weeks, ThreatLabZ researchers have detected several WordPress and Joomla sites that were serving Shade/Troldesh ransomware, backdoors, redirectors, and a variety of phishing pages. The most well-known threats to CMS sites are the result of vulnerabilities introduced by plugins, themes, and extensions.

In this blog, we are focusing on the Shade/Troldesh ransomware and phishing pages that we detected last month from several hundred compromised CMS sites. Shade ransomware has been quite active in the wild and we have been seeing a number of compromised WordPress and Joomla sites being used to spread the ransomware.

The compromised WordPress sites we have seen are using versions 4.8.9 to 5.1.1 and they use SSL certificates issued by Automatic Certificate Management Environment (ACME)-driven certificate authorities, such as Let’s Encrypt, GlobalSign, cPanel, and DigiCert, among others. These compromised WordPress sites may have outdated CMS plugins/themes or server-side software which potentially could also be the reason for the compromise.

Image

Fig 1: Hits of Shade and phishing in detected CMS sites

During the past month, our cloud blocked transactions for compromised WordPress and Joomla due to Shade ransomware payloads (13.6 percent) and phishing pages (27.6 percent), with the remaining blocks due to coinminers, adware, and malicious redirectors.

We have been monitoring the compromised HTTPS sites for a few weeks and have noticed that attackers are favoring a well-known hidden directory present on the HTTPS website for storing and distributing Shade ransomware and phishing pages.

The hidden /.well-known/ directory in a website is a URI prefix for well-known locations defined by IETF and commonly used to demonstrate ownership of a domain. The administrators of HTTPS websites that use ACME to manage SSL certificates place a unique token inside the /.well-known/acme-challenge/ or /.well-known/pki-validation/ directories to show the certificate authority (CA) that they control the domain. The CA will send them specific code for an HTML page that must be located in this particular directory. The CA will then scan for this code to validate the domain.

The attackers use these locations to hide malware and phishing pages from the administrators. The tactic is effective because this directory is already present on most HTTPS sites and is hidden, which increases the life of the malicious/phishing content on the compromised site.

The different types of threats that we found under the hidden directory in the past month are shown in the below image.

Image

Fig 2: Threats in hidden directory

Image

Fig 3: Shade ransomware vs. phishing pages in the hidden directory

 

Case I: Shade/Troldesh ransomware under the hidden directory
 

The graph below shows the Shade/Troldesh ransomware under the hidden directory that we detected last month.

Image

Fig 4: Shade/Troldesh ransomware hits over one month

In the case of Shade/Troldesh ransomware, every compromised site has three types of files: HTML, ZIP, and EXE (.jpg), as shown below.

Image

Fig 5: Shade in hidden SSL validation directory

inst.htm and thn.htm are HTML files that redirect to download ZIP files.
reso.zip, rolf.zip, and stroi-invest.zip are ZIP files that contain the JavaScript file.
msg.jpg and msges.jpg are EXE files that are the Shade ransomware.

Image

Fig 6: Shade Infection chain

Troldesh is typically spread by malspam with a ZIP attachment or a link to an HTML redirector page, which downloads the ZIP file. The malspam pretends to be an order update coming from a Russian organization. An example of an email that has the link of the HTML redirector is shown below.

Image

Fig: 7 Malspam mail
 

Image

Fig 8: Redirector to download ZIP

The ZIP file contains only the JavaScript file with a Russian name. The JavaScript is highly obfuscated and encrypted strings are decrypted at runtime by the below function.

Image

Fig 9: Decryption function

After decryption, the JavaScript has the functionalities shown below. It tries to connect one of the two URLs, downloads the payload in %TEMP%, and executes it.

Image

Fig 10: Simplified JavaScript code

The downloaded payload is the new variant of Shade/Troldesh ransomware, which has been around since 2014. It has two layers of packers: custom and UPX. After unpacking, it saves its configurations in “HKEY_LOCAL_MACHINE\SOFTWARE\System32\Configuration”.

Image

Fig 11: Shade configuration

xcnt = Count of encrypted files
xi = ID of infected machine
xpk = RSA public key for encryption
xVersion = Version of current Shade ransomware

The command-and-control (C&C) server is a4ad4ip2xzclh6fd[.]onion. It drops a TOR client in %TEMP% to connect to its C&C server. For each file, the file content and file name are encrypted with AES-256 in CBC mode with two different keys. After encryption, it changes the filename to BASE64(AES(file_name)).ID_of_infected_machine.crypted000007.

Image

Fig 12: Encrypted files

It drops a copy of itself in %ProgramData%\Windows\csrss.exe and makes a run entry for this copy with the name “BurnAware.” It drops README1.txt to README10.txt on the desktop and changes the wallpaper as shown below.

Image

Fig 13: Shade wallpaper

README.txt has ransom note in both Russian and English languages.

Image

Fig 14: Shade ransom note

Image

Fig 15: Zscaler sandbox report for Shade/Troldesh ransomware

 

Case II: Phishing pages under the hidden directory


The graph below shows the different types of phishing pages under the hidden directory that we detected last month.

Image

Fig 16: Phishing hits over one month

The phishing pages we have seen up to this point, which are hosted under SSL-validated hidden directories, are related to Office 365, Microsoft, DHL, Dropbox, Bank of America, Yahoo, Gmail, and others.

Image

Fig 17: OneDrive phishing page

Image

Fig 18: Yahoo phishing page

Image

Fig 19: DHL phishing page

 

IOCs:

aioshipping[.]com/.well-known/acme-challenge/msg.jpg
yourcurrencyrates[.]com/.well-known/pki-validation/mxr.pdf
rangtrangxinh[.]vn/.well-known/acme-challenge/msg.jpg
judge[.]education/.well-known/pki-validation/ssj.jpg
hoadaklak[.]com/.well-known/acme-challenge/ssj.jpg
nguyenlinh[.]vn/.well-known/acme-challenge/msg.jpg
rdsis[.]in/.well-known/pki-validation/msg.jpg
khanlanhdaklak[.]com/.well-known/acme-challenge/ssj.jpg
presse[.]schmutzki.de:80/.well-known/acme-challenge/messg.jpg
aioshipping[.]com:80/.well-known/acme-challenge/msg.jpg
yourcurrencyrates[.]com:80/.well-known/pki-validation/mxr.pdf
vinhomeshalongxanh[.]xyz:80/.well-known/pki-validation/ssj.jpg
titusrealestate[.]com.fj:80/.well-known/pki-validation/msg.jpg
dichvucong[.]vn:80/.well-known/acme-challenge/msg.jpg
myphamnarguerite[.]com:80/.well-known/acme-challenge/mxr.pdf
minifyurl[.]net:80/.well-known/pki-validation/mxr.pdf
judge[.]education:80/.well-known/pki-validation/ssj.jpg
minifyurl[.]net/.well-known/pki-validation/mxr.pdf
neccotweethearts[.]com:80/.well-known/pki-validation/mxr.pdf
backuptest[.]tomward.org.uk:80/.well-known/pki-validation/ssj.jpg
mobshop[.]schmutzki.de:80/.well-known/acme-challenge/messg.jpg
neccotweethearts[.]com/.well-known/pki-validation/mxr.pdf
myphamnarguerite[.]com/.well-known/acme-challenge/mxr.pdf
khanlanhdaklak[.]com:80/.well-known/acme-challenge/ssj.jpg
presse[.]schmutzki.de/.well-known/acme-challenge/messg.jpg
mobshop[.]schmutzki.de/.well-known/acme-challenge/messg.jpg
globalkabar[.]com/.well-known/pki-validation/sserv.jpg
ereservices[.]com:80/.well-known/pki-validation/ssj.jpg
dulichvietlao[.]vn:80/.well-known/acme-challenge/ssj.jpg
backuptest[.]tomward.org.uk/.well-known/pki-validation/ssj.jpg
mamycloth[.]store:80/.well-known/acme-challenge/msg.jpg
business[.]driverclub.co:80/.well-known/pki-validation/msg.jpg
vinhomeshalongxanh[.]xyz/.well-known/pki-validation/ssj.jpg
dichvucong[.]vn/.well-known/acme-challenge/msg.jpg
thuducland[.]net/.well-known/acme-challenge/sserv.jpg
sahabathasyim[.]com/.well-known/acme-challenge/sserv.jpg
rangtrangxinh[.]vn:80/.well-known/acme-challenge/msg.jpg
lovecookingshop[.]com:80/.well-known/pki-validation/ssj.jpg
ereservices[.]com/.well-known/pki-validation/ssj.jpg
hoadaklak[.]com:80/.well-known/acme-challenge/ssj.jpg
ceroshop[.]net/.well-known/acme-challenge/nba1.jpg
thuducland[.]net:80/.well-known/acme-challenge/sserv.jpg
lovecookingshop[.]com/.well-known/pki-validation/ssj.jpg
entrenadorpersonalterrassa[.]com.es:80/.well-known/acme-challenge/mxr.pdf
epifaniacr[.]net:80/.well-known/pki-validation/ssj.jpg
titusrealestate[.]com.fj/.well-known/pki-validation/msg.jpg
globalkabar[.]com:80/.well-known/pki-validation/sserv.jpg
sahabathasyim[.]com:80/.well-known/acme-challenge/sserv.jpg
dulichvietlao[.]vn/.well-known/acme-challenge/ssj.jpg
argfoodfest[.]e-zero.com.ar:80/.well-known/pki-validation/ssj.jpg
aa[-]publisher.com:80/.well-known/mxr.pdf
duandojiland[-]sapphire.com:80/.well-known/pki-validation/ssj.jpg
master[-]of-bitcoin.net/.well-known/pki-validation/messg.jpg
ea[-]no7.net/.well-known/pki-validation/messg.jpg
tropictowersfiji[.]com/.well-known/pki-validation/msg.jpg
test[.]digimarkting.com/.well-known/pki-validation/msges.jpg
tebarameatsfiji[.]com/.well-known/pki-validation/msg.jpg
sbs[.]ipeary.com/.well-known/pki-validation/msges.jpg
sbs[.]ipeary.com/.well-known/pki-validation/msg.jpg
samyaksolution[.]co.in/.well-known/pki-validation/msges.jpg
samyaksolution[.]co.in/.well-known/pki-validation/msg.jpg
rosyheartsfiji[.]com/.well-known/pki-validation/pik.zip
needcareers[.]com/.well-known/pki-validation/msges.jpg
natristhub[.]club/.well-known/pki-validation/msges.jpg
natristhub[.]club/.well-known/pki-validation/msg.jpg
mytripland[.]com:80/.well-known/pki-validation/sserv.jpg
learning[.]ipeary.com/.well-known/pki-validation/msg.jpg
ipeari[.]com/.well-known/pki-validation/msg.jpg
diennangmattroi[.]com/.well-known/pki-validation/msges.jpg
diennangmattroi[.]com/.well-known/pki-validation/msg.jpg
alonhadat24h[.]vn/.well-known/acme-challenge/update_2018_02.browser-components.zip
24bizhub[.]com/.well-known/pki-validation/msges.jpg
24bizhub[.]com/.well-known/pki-validation/msg.jpg
thinkmonochrome[.]co.uk/.well-known/acme-challenge/messg.jpg
test[.]digimarkting.com/.well-known/pki-validation/msg.jpg
needcareers[.]com/.well-known/pki-validation/msg.jpg
hanggiadungduc[.]vn/.well-known/acme-challenge/reso.zip
designitpro[.]net/.well-known/acme-challenge/msg.jpg
zanatika[.]com:80/.well-known/acme-challenge/ssj.jpg
vina[.]fun:80/.well-known/acme-challenge/ssj.jpg
nexusdental[.]com.mx/.well-known/acme-challenge/ssj.jpg
neccotweethearts[.]com:80/.well-known/pki-validation/ssj.jpg
jayc[-]productions.com:80/.well-known/acme-challenge/ssj.jpg
indochine[-]mekong.com:80/.well-known/acme-challenge/ssj.jpg
hexamersolution[.]com/.well-known/acme-challenge/msg.jpg
hexacode[.]lk:80/.well-known/acme-challenge/ssj.jpg
dongha[.]city:80/.well-known/acme-challenge/ssj.jpg
domika[.]vn/.well-known/acme-challenge/msg.jpg
coupanadda[.]in:80/.well-known/pki-validation/ssj.jpg
choviahe[.]cf:80/.well-known/acme-challenge/ssj.jpg
brace[-]dd.com/.well-known/pki-validation/msg.jpg
angkaprediksi[.]fun/.well-known/acme-challenge/msg.jpg
advancitinc[.]com/.well-known/pki-validation/msg.jpg
vodai[.]bid/.well-known/pki-validation/ssj.jpg
thucphammena[.]com/.well-known/acme-challenge/ssj.jpg
thefoodgram[.]com/.well-known/acme-challenge/tehnikol.zip
thefoodgram[.]com/.well-known/acme-challenge/stroi-industr.zip
shopkimhuyen[.]com/.well-known/acme-challenge/msg.jpg
shine[.]bmt.city/.well-known/acme-challenge/ssj.jpg
sbs[.]ipeary.com/.well-known/pki-validation/stroi-industr.zip
needcareers[.]com/.well-known/pki-validation/tehnikol.zip
needcareers[.]com/.well-known/pki-validation/stroi-industr.zip
maithanhduong[.]com/.well-known/pki-validation/pik.zip
luongynhiem[.]com/.well-known/pki-validation/gkpik.zip
lichxuansaigon[.]com:80/.well-known/acme-challenge/ssj.jpg
kinder[-]express.de/.well-known/acme-challenge/reso.zip
khannen[.]com.vn/.well-known/acme-challenge/ssj.jpg
jayc[-]productions.com/.well-known/acme-challenge/ssj.jpg
jambanswers[.]org/.well-known/pki-validation/ssj.jpg
intercontinentalglobalservice[.]com:80/.well-known/pki-validation/ssj.jpg
gurusexpo[.]com.ng/.well-known/pki-validation/ssj.jpg
gotrungtuan[.]online/.well-known/acme-challenge/ssj.jpg
goindelivery[.]com/.well-known/pki-validation/major.zip
fernandoherrera[.]me:80/.well-known/acme-challenge/ssj.jpg
diennangmattroi[.]com/.well-known/pki-validation/stroi-industr.zip
canhooceangate[.]com/.well-known/acme-challenge/sserv.jpg
bramptonpharmacy[.]ca/.well-known/acme-challenge/msg.jpg
bolt[-]fast.com/.well-known/pki-validation/gkpik.zip
bmt[.]today/.well-known/acme-challenge/ssj.jpg
blog[.]ponta-fukui.com/.well-known/pki-validation/pik.zip
bhartivaish[.]com:80/.well-known/acme-challenge/ssj.jpg
attireup[.]com/.well-known/acme-challenge/tehnikol.zip
attireup[.]com/.well-known/acme-challenge/stroi-industr.zip
acreationevents[.]com/.well-known/acme-challenge/msg.jpg
yeu82[.]com/.well-known/acme-challenge/ssj.jpg
yeu81[.]com/.well-known/acme-challenge/ssj.jpg
yeu49[.]com/.well-known/acme-challenge/ssj.jpg
yeu48[.]com/.well-known/acme-challenge/ssj.jpg
vuacacao[.]com/.well-known/acme-challenge/ssj.jpg
vision[-]ex.de/.well-known/acme-challenge/reso.zip
vinaykhatri[.]in/.well-known/acme-challenge/ssj.jpg
vinaykhatri[.]in/.well-known/acme-challenge/mxr.pdf
variantmag[.]com/.well-known/acme-challenge/sserv.jpg
valentinesblues[.]com/.well-known/pki-validation/sserv.jpg
uyencometics[.]bmt.city/.well-known/acme-challenge/ssj.jpg
tysonfury[.]rocks/.well-known/acme-challenge/msg.jpg
tulipremodeling[.]com/.well-known/acme-challenge/sserv.jpg
tropictowersfiji[.]com/.well-known/pki-validation/pik.zip
thesaturnring[.]com/.well-known/acme-challenge/mxr.pdf
theotokis[.]gr/.well-known/pki-validation/mxr.pdf
thefashionelan[.]com/.well-known/pki-validation/msg.jpg
tanione[.]com:80/.well-known/acme-challenge/ssj.jpg
tanione[.]com/.well-known/acme-challenge/ssj.jpg
steeveriano[.]com/.well-known/pki-validation/msg.jpg
singleparentaustralia[.]com.au/.well-known/pki-validation/reso.zip
shafercharacter[.]org/.well-known/acme-challenge/messg.jpg
service[.]baynuri.net/.well-known/acme-challenge/messg.jpg
samyaksolution[.]co.in/.well-known/pki-validation/rolf.zip
realman[.]work/.well-known/acme-challenge/reso.zip
rarejewelry[.]net/.well-known/acme-challenge/mxr.pdf
rarejewelry[.]net/.well-known/acme-challenge/messg.jpg
qsongchihotel[.]com/.well-known/acme-challenge/ssj.jpg
panama[.]driverclub.co/.well-known/pki-validation/pic.zip
ngheve[.]com/.well-known/acme-challenge/ssj.jpg
nfc[.]com.vn/.well-known/acme-challenge/msg.jpg
next[-]vision.ro/.well-known/pki-validation/ssj.jpg
newsnaija[.]ng/.well-known/pki-validation/ssj.jpg
newsnaija[.]ng/.well-known/pki-validation/mxr.pdf
neelshivamlaw[.]com/.well-known/pki-validation/pic.inform.zip
neccotweethearts[.]com/.well-known/pki-validation/ssj.jpg
navegacaolacet[.]com.br/.well-known/acme-challenge/msg.jpg
mytripland[.]com/.well-known/pki-validation/ssj.jpg
myschoolmarket[.]com.ng/.well-known/acme-challenge/ssj.jpg
mskhangroup[.]com/.well-known/pki-validation/pic.zip
mskhangroup[.]com/.well-known/pki-validation/msg.jpg
morganbits[.]com/.well-known/acme-challenge/mxr.pdf
mo7o[.]fun:80/.well-known/acme-challenge/mxr.pdf
mitsubishidn[.]com.vn/.well-known/acme-challenge/sserv.jpg
meliscar[.]com:80/.well-known/pki-validation/ssj.jpg
meliscar[.]com/.well-known/pki-validation/ssj.jpg
manhattan[.]dangcaphoanggia.com/.well-known/acme-challenge/mxr.pdf
maithanhduong[.]com/.well-known/pki-validation/msg.jpg
lichxuansaigon[.]com/.well-known/acme-challenge/ssj.jpg
lemon[-]remodeling.com/.well-known/acme-challenge/sserv.jpg
lastra[.]top/.well-known/pki-validation/msg.jpg
laflamme[-]heli.com/.well-known/acme-challenge/ssj.jpg
laflamme[-]heli.com/.well-known/acme-challenge/sserv.jpg
kousen[.]fire-navi.jp/.well-known/pki-validation/msg.jpg
jambanswers[.]org/.well-known/pki-validation/vseros.bank.zakaz.docx.zip
integramultimedia[.]com.mx/.well-known/acme-challenge/ssj.jpg
incgoin[.]com/.well-known/pki-validation/reso.zip
hexacode[.]lk/.well-known/acme-challenge/ssj.jpg
happysungroup[.]de/.well-known/pki-validation/ssj.jpg
goindelivery[.]com/.well-known/pki-validation/reso.zip
goindelivery[.]com/.well-known/pki-validation/msg.jpg
goindelivery[.]com/.well-known/pki-validation/kia.zip
gnb[.]uz/.well-known/pki-validation/ssj.jpg
geecee[.]co.za/.well-known/pki-validation/msg.jpg
geecee[.]co.za/.well-known/pki-validation/kia.zip
gdn[.]segera.live/.well-known/pki-validation/sserv.jpg
fijidirectoryonline[.]com/.well-known/pki-validation/msg.jpg
fastimmo[.]fr/.well-known/acme-challenge/sserv.jpg
ereservices[.]com/.well-known/pki-validation/sserv.jpg
ede[.]coffee/.well-known/acme-challenge/ssj.jpg
dongydaisinhduong[.]com/.well-known/acme-challenge/messg.jpg
diota[-]ar.com:80/.well-known/acme-challenge/mxr.pdf
diota[-]ar.com/.well-known/acme-challenge/mxr.pdf
diamondking[.]co/.well-known/pki-validation/sserv.jpg
dev01[.]europeanexperts.com/.well-known/pki-validation/messg.jpg
designitpro[.]net/.well-known/acme-challenge/reso.zip
damuoigiasi[.]com/.well-known/acme-challenge/ssj.jpg
dailynow[.]vn/.well-known/acme-challenge/msg.jpg
choviahe[.]cf/.well-known/acme-challenge/ssj.jpg
cellulosic[.]logicalatdemo.co.in/.well-known/pki-validation/ssj.jpg
business[.]driverclub.co/.well-known/pki-validation/msg.jpg
bhartivaish[.]com/.well-known/acme-challenge/sserv.jpg
bcspremier[.]ru/promo/well-known/images/background_sm.jpg
bcspremier[.]ru/promo/well-known/images/background_lg.jpg
atiqah[.]my/.well-known/pki-validation/sserv.jpg
aanarehabcenter[.]com:80/.well-known/pki-validation/ssj.jpg
aanarehabcenter[.]com/.well-known/pki-validation/ssj.jpg
24bizhub[.]com/.well-known/pki-validation/tehnikol.zip
24bizhub[.]com/.well-known/pki-validation/stroi-industr.zip
ipeari[.]com/.well-known/pki-validation/msg.jpg
ipeari[.]com/.well-known/pki-validation/reso.zip
ipeari[.]com/.well-known/pki-validation/stroi-industr.zip
ipeari[.]com/.well-known/pki-validation/stroi-invest.zip
ipeari[.]com/.well-known/pki-validation/tehnikol.zip
learning[.]ipeary.com/.well-known/pki-validation/msg.jpg
learning[.]ipeary.com/.well-known/pki-validation/reso.zip
learning[.]ipeary.com/.well-known/pki-validation/stroi-industr.zip
learning[.]ipeary.com/.well-known/pki-validation/stroi-invest.zip
learning[.]ipeary.com/.well-known/pki-validation/tehnikol.zip
test[.]digimarkting.com/.well-known/pki-validation/msg.jpg
test[.]digimarkting.com/.well-known/pki-validation/reso.zip
test[.]digimarkting.com/.well-known/pki-validation/stroi-industr.zip
test[.]digimarkting.com/.well-known/pki-validation/stroi-invest.zip
test[.]digimarkting.com/.well-known/pki-validation/tehnikol.zip
SBS[.]ipeary.com/.well-known/pki-validation/msg.jpg
SBS[.]ipeary.com/.well-known/pki-validation/reso.zip
SBS[.]ipeary.com/.well-known/pki-validation/stroi-industr.zip
SBS[.]ipeary.com/.well-known/pki-validation/stroi-invest.zip
SBS[.]ipeary.com/.well-known/pki-validation/tehnikol.zip
singleparentaustralia[.]com.au/.well-known/pki-validation/msg.jpg
singleparentaustralia[.]com.au/.well-known/pki-validation/reso.zip
natristhub[.]club/.well-known/pki-validation/msg.jpg
natristhub[.]club/.well-known/pki-validation/reso.zip
natristhub[.]club/.well-known/pki-validation/stroi-industr.zip
natristhub[.]club/.well-known/pki-validation/stroi-invest.zip
natristhub[.]club/.well-known/pki-validation/tehnikol.zip
natristhub[.]club/.well-known/pki-validation/tehnikol1.zip

form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.