BESCOM users being redirected to RIG EK

ROHIT HEGDE - Sr. Staff Threat Researcher

September 13, 2017 - 2 Min. de leitura

Conteúdo

Article
Mais blogs

BESCOM (Bangalore Electricity Supply Company Limited) is responsible for power distribution in eight districts of the Indian state Karnataka. The total area is roughly 15,900 square miles and serves a population of roughly 20 million people.

Zscaler ThreatLabZ researchers recently discovered that malicious actors strategically placed malicious redirects on the bill payment page of the BESCOM portal. These redirects were active on 11 September 2017 and made the website unusable.

We also observed redirects to the RIG exploit kit (EK) coming from bescom[.]org/en/paybill/, which was sending users to the RIG landing page URL, below:

188.225.82[.]40/?NTU4NzYx&party=UDVXgiUfTfABgyYxZBggX8v37h0XQzkOYhp7X-.....

Figure 1: RIG EK redirect hits from bescom[.]org/en/paybill/

Subsequent attempts to load bescom[.]org/en/paybill resulted in redirects to cryptocurrency scam sites and YouTube videos for cryptocurrency scams.

The redirect occurs because of a meta refresh tag on the BESCOM page, which, in this instance, redirects users to http://btc100x[.]rocks.

Figure 2: btc100x[.]rocks redirect

The second redirect we observed was to a YouTube video scam encouraging users to transfer their Bitcoins in order to multiply them. The redirect and the screenshot of the video can be seen below.

Figure 3: Scam YouTube video redirect

Figure 4: Scam YouTube video

Overview of the RIG EK cycle at 188.225.82[.]40

When we tested the RIG redirect we found that it was still active.

Figure 5: Capture of RIG cycle from the redirected IP

The obfuscated JavaScript can be seen below.

Figure 6: Obfuscated JavaScript on the RIG EK landing page

This redirect leads to a download of a Flash file which fingerprints the system to determine whether it is vulnerable. A snippet of decompiled Flash is shown in the following image.

Figure 7: Decompiled Flash file

The payload that was downloaded is shown below.

Figure 8: Malware payload download attempt

The payload fails during execution and throws an error message.

Figure 9: Failed malware execution

Indicators of compromise (IoCs):

IP Address: 188.225.82[.]40

188.225.82[.]43

Conclusion

Zscaler ThreatLabZ notified BESCOM of the compromise on September 11, 2017, and, while we did not receive any response, it appears that the company was quick to remediate the issue. Zscaler ThreatLabZ is actively monitoring this campaign to ensure protection for Zscaler customers.

Obrigado por ler

Esta postagem foi útil?？

Sim, muito útil!

Na verdade, não

Aviso legal: este post no blog foi criado pela Zscaler apenas para fins informativos e é fornecido "no estado em que se encontra", sem quaisquer garantias de exatidão, integridade ou confiabilidade. A Zscaler não se responsabiliza por quaisquer erros, omissões ou por quaisquer ações tomadas com base nas informações fornecidas. Quaisquer sites ou recursos de terceiros vinculados neste post são fornecidos apenas para sua conveniência, e a Zscaler não se responsabiliza por seu conteúdo ou práticas. Todo o conteúdo está sujeito a alterações sem aviso prévio. Ao acessar este blog, você concorda com estes termos e reconhece que é de sua exclusiva responsabilidade verificar e utilizar as informações conforme apropriado para suas necessidades.