GEC NEWS WIRE“Around 2017-10-24 at 08:00:00 UTC, FireEye began to detect and block attempts to infect multiple clients with a drive-by download masquerading as a Flash Update (install_flash_player.exe), hosted on attacker infrastructure 1dnscontrol[.]com. The infection attempts were referred from multiple sites simultaneously, indicating a widespread strategic web compromise campaign. FireEye has observed this malicious JavaScript framework in use since at least February 2017, including its usage on several of the sites from today’s attacks. The framework acts as a “profiler” that gathers information from those viewing the compromised pages – including host and IP address info, browser info, referring site, cookie from referring site. Malicious profilers allow attackers to obtain more information about potential victims before deploying payloads (in this case, the BADRABBIT dropper “flash update”).
“FireEye network devices blocked infection attempts at multiple victims globally until around 2017-10-24 15:00:00 UTC when the infection attempts ceased and attacker infrastructure – both 1dnscontrol[.]com and monitored sites containing the rogue code – were taken offline. The use of strategic web compromises and profilers provide guardrails that allow attackers to select targets carefully and halt operations quickly.
“When we say strategic web compromises, this means an attacker hosts malicious code on an unknowing victim’s website that is then used to infect the true targets. The websites are carefully selected for compromise so that they will have the most direct reach to the ultimate targets with minimal collateral damage. In the case of BADRABBIT, many strategic compromises were Eastern European travel and media websites used to then profile visitors and deliver the payload.”
