Users who have visited the music news website spin.com two weeks ago and didn’t have the latest patches may have become victims to a drive-by download attack delivered through a RIG exploit kit. The moment the exploit kit discovers a vulnerable Flash Player, Java or Silverlight plug-in, it exploits the flaw in order to download malware on the compromised machine. Researchers with Symantec have detected two different malware types so far – Dyre and Zeus Trojan.
Exploiting Unpatched Vulnerabilities
Dyre has been used in several malicious attacks so far. In most campaigns, the Trojan is delivered via scam emails. Dyre’s ability to steal banking credentials and block browser communications with websites of financial institutions makes it rather appealing to cyber criminals.
Reportedly, the malicious campaign was first detected on October 27. Researchers have no idea for how long the bad code has been around or how many victims it might have taken. According to the Symantec report, the majority of the targeted users were located in the US. The exploit kit has leveraged a few flaws, among which there are some that would prevent the malware detection on certain systems.
The malware can exploit two security vulnerabilities on Internet Explorer and some flaws in older (2013 and 2012), unpatched versions of Flash Player, Java and Silverlight. Basically, the victims of such a campaign are users who do not update their software on a regular basis.
Malicious Iframe Not to Be Found in the Website’s Code
The website hosting RIG exploit kit was massively obfuscated. Before it actually starts to leverage flaws in browser plug-ins, RIG scans for antivirus programs. In case there are no security products, the malicious campaign continues. The payload is delivered via Dyre or a variation of the ZeuS Trojan. Either way, the crooks use XOW cypher to bypass detection.
RIG exploit kit was used in a recent campaign in which infected computers were connecting to compromised Drupal websites via the SQL injection flaw. Researchers have observed the same pattern of detecting the security products before the payload is being downloaded in those cases.
The bad code has been removed from spin.com recently, and the website is now safe for use.