Delaware, USA – March 5, 2020 – Cybercriminals compromise websites and convince visitors to install malware by informing them that some kind of security certificate had expired. Kaspersky Lab researchers have spotted new method adversaries use to convince victims to install malware on their own, which is used in the wild since mid-January. Cybercriminals insert a malicious piece of code into the original HTML page on the hacked website. “The alarming notification consists of an iframe — with contents loaded from the third-party resource ldfidfa[.]pw — overlaid on top of the original page. The URL bar still displays the legitimate address,” researchers discovered. “The jquery.js script overlays an iframe that is exactly the same size as the page. The iframe content is loaded from the address https[:]//ldfidfa[.]pw//chrome.html. As a result, instead of the original page, the user sees a seemingly genuine banner urgently prompting to install a certificate update.” If the user decides to “renew the certificate”, a packed Buerak trojan or Mokes backdoor is downloaded to his system.
Buerak is a trojan for Windows systems that uses strong anti-analysis and anti-sandboxing techniques and is capable of executing code, tampering with running processes, stealing data, and maintaining persistence through registry keys. Mokes is a cross-platform backdoor that is able to operate on all major operating systems: Windows, Linux, and OS X. It can execute arbitrary commands on the victim’s system, take screenshots, upload files, record and exfiltrate audio and video captures; the backdoor uses AES-256-CBC encryption for command-and-control communications. To detect attacks injecting malicious code into your publicly available resources, you can use the Web Application Security Framework rule pack: https://my.socprime.com/en/integrations/web-application-security-framework