EC-Council Website Distributes Angler Exploit Kit
The website of the security certification provider EC-Council has been serving a malicious drive-by towards the Angler exploit kit since Monday.
According to research by Fox IT, the redirect occurs only when a visitor is using Microsoft’s Internet Explorer as a browser, or the user-agent has to represent Internet Explorer, when the visitor arrives from a search engine link and when the visitor’s IP address is not blacklisted or belongs to a blocked geolocation.
This specific campaign instance of the Angler exploit kit drops ‘TeslaCrypt’ ransomware on the exploited victim’s machine. The redirect occurs on the EC-Council website via PHP code on the webserver, which is injecting the redirect into the webpage.
“A vulnerability in the EC-Council website is most likely exploited as it runs the very popular WordPress CMS which has been a target through vulnerable plug-ins for years,” the research said.
Efforts to contact the EC-Council were without success, as the press contact page leads to a 404. Fox IT said it had reached out and notified the EC-Council, but no corrective action had been taken.
Speaking to Infosecurity, Maartin van Dantzig, senior researcher at Fox-IT said that the issue was found on Monday after several customers were found to be infected. “We wanted to see how they were being infected and we found it was by the EC-Council website, so we tried to contact them but after they responded on Monday they stopped responding and there was nothing we could do about it,” he said.
He explained that he did hear from them and they asked what website was infected and for screenshot, and the next day Fox-IT asked next if they had been able to fix it but got no response, so made the decision to go public as they knew it was a high risk for their customers.
Speaking to Infosecurity, Luis Corrons, Panda Labs technical director, wondered why users of Internet Explorer were affected. Clarifying, van Dantzig said that the Angler exploit kit impacts versions of Internet Explorer previous to IE11 which allow browser plug-ins to run, while Chrome and FireFox block outdated plug-ins and IE 7-10 all allow browser plug-ins to run.
Corrons said: “Most exploit kits have an operating panel to determine who they want to infect, and the old banking Trojans were configured not to infect people in their own country.
“For the blacklisted IP addresses, I’m 99% sure it is a blacklist of anti-malware and anti-virus companies so the bad guys have a blacklist of what the good guys work with, and makes it harder for us to find them.”
Source: Information Security Magazine