Angler EK Effectively Contaminates Chinese Government Website

The Angler Exploit Kit (AEK) was recently tried to make non-functional; in spite of that it successfully compromised one website of the Chinese government, published infosecurity-magazine.com dated November 4, 2015.

During an analysis, security investigators from Zscaler ThreatLabZ a security company stated that they discovered one government website of China that was compromised and diverted victims onto a ransomware. The website hijack was done using injected code and the name of the site was www.cxda[.]gov.cn taken from the 'Chuxiong Archives.' The website somewhat resembles both the Chuxiong City and Chuxiong Yi Prefecture sites, while looks inactive.

And whilst security experts cleaned the hijacked site in 24-hrs, Zscaler nevertheless was alerted to Angler's modifications lately along with the latest Flash exploits' inclusion.

Investigators noted that the code injection happened prior to opening of HTML string as also after making the code highly disguised. It quite well resembled other recent hijacks seen and existed on all web-pages belonging to the site, indicating one full site compromise, they described. Infosecurity-magazine.com reported this.

The code seemingly successfully attacks Internet Explorer and not Chrome or Firefox as these two browsers repeatedly show error while trying the code's execution as well as no diversion happens. Internet Explorer makes no prevention towards the code's execution, and the code naturally decrypts to one iframe taking onto a landing page that serves the Angler EK.

It's easy to quickly recognize the Angler web-page, however, there are a few recent modifications, like rather than utilizing 7-character long threads in an overtly lengthy block, the latest Angler web-pages utilize 2-character long threads merely. Besides, there is on prominent 'triggerApi' function near key script block's top portion.

Other than these modifications, the Angler EK page's functionality shows as before, with the same objective towards delivering a malevolent SWF.

And once the cycle of exploit effectively runs, one fresh CryptoWall 3.0 sample gets downloaded from crypt13 scam as also planted onto the target PC.

Eventually, the Angler EK assaults, which hitherto weren't of the targeted kind, have shown an unprecedented instance wherein the kit's operators have used certain government website for targeting PC-users.

» SPAMfighter News - 11/11/2015