A long-lasting website infection campaign meant to redirect users to exploit kits (EKs) such as Angler and Neutrino continues to run strong roughly one year and a half after being originally discovered.
Dubbed “EITest” because of a variable consistently found in injected code across infected websites, the infection campaign was initially described in October 2014, but continued to affect websites in 2015 as well. As it turns out, the campaign is still ongoing, with numerous websites still getting hacked and injected with code that redirects users to exploit kits.
In 2014, Malwarebytes explained that compromised websites were essentially injected with code for a Flash application that also packed a series of parameters to make it invisible to the user. The EITest variable was present in the code, hence the campaign’s name, and visiting IP addresses were flagged so that the redirection would occur only during the initial visit, thus making the website infection more difficult to detect.
In March this year, Rackspace security researcher Brad Duncan revealed that the campaign’s patterns for injected script remained almost unchanged, but that the URLs and variable names have changed over time. Today, the researcher says that, earlier this month, the EITest campaign also switched to redirecting users to the Neutrino EK. Usually, the campaign uses Angler, but Neutrino is also used from time to time, it seems.
According to Duncan, the EITest campaign has been using 188.8.131.52/24 for a gate between the compromised website and the EK ever since the beginning of this year. The TLD for these gate domains is either.tk or .co.uk, the latter emerging mainly this week.
The researcher was able to generate two full infection chains from the same compromised website, both pertaining to the EITest campaign: one redirected to Neutrino, which instead downloaded the Gootkit malware, while the other used Angler and dropped a 24 KB executable (which hasn’t been analyzed yet) as the payload.
The EITest gate observed in this particular case was true.imwright.co.uk, with the Neutrino EK hosted on ndczaqefc.anein.top, while the Angler EK was served from kmgb0.yle6to.top. The two infection chains occurred within 11 minutes of each other, the researcher says.
Duncan also explains that the test machine was running Adobe Flash Player 184.108.40.2066, which is vulnerable to CVE-2016-1019, and that both Angler and Neutrino EK pack exploits for this vulnerability. The same as with other EK infections, the malicious payload is dropped in the background, while the user continues to browse the web, even if they access only legitimate websites (but which have been compromised).
Cybercriminals have been long looking to hack websites and abuse them in EK attacks, but users can stay protected, by keeping their applications updated at all times and making sure that they have the latest patches for their Windows operating system installed. An up-to-date anti-virus program would also ensure that computers are not infected when running across such campaigns.