Darkleech Says Hello

There’s never a dull day at FireEye — even on
the weekends. At approximately 7:29 AM PDT today, we were notified by
several security researchers that a fireeye[.]com/careers HR link was
inadvertently serving up a drive-by download exploit. Our internal
security, IT operations team, and third-party partners quickly
researched and discovered that the malicious code was not hosted
directly on any FireEye web infrastructure, but rather, it was
hosted on a third-party advertiser (aka “malvertisement”)
that was linked via one of our third-party web services.
 The
team then responded and immediately removed links to the malicious
code in conjunction with our partners in order to protect our website
users. More information on this third-party compromise (of video.js)
can be found here.

Technical Details

The full redirect looked like this:

 

hxxp://www[.]fireeye[.]com/careers/ 

 

(redirect to) -> hxxp://xxx[.]xxxxxxxx[.]com/career/

CareerHome.action?clientId=8aa00506326e915601326f65b82e1fcb

(calls) -> hxxp://vjs[.]zencdn[.]net/c/video.js (VULNERABLE JAVASCRIPT)

(calls) -> hxxp://cdn[.]adsbarscipt[.]com/links/jump/ (MALVERTISEMENT)

(calls) -> hxxp://209[.]239[.]127[.]185/591918d6c2e8ce3f53ed8b93fb0735cd

/face-book.php (EXPLOIT URL)

(drops) -> MD5: 01771c3500a5b1543f4fb43945337c7d

(Update_flash_player.exe)

 

 

So what was this, anyway?

It turns out, this attack was not targeted and it was not
a watering hole attack
. Instead, this campaign appears to be a
recent wave of the Darkleech malware campaign, where third-party Horde/IMP
Plesk Webmail servers were vulnerable to attack
and used to
serve up Java exploits that ultimately drop yet another ransomware
named Reveton (similar to Urausy) — yet other AV engines report it as a Zeus Bot (Zbot) variant.

Do FireEye products detect this attack?

Yes, the initial infection vector, payload, and corresponding
Reveton callbacks were fully detected across all FireEye products
prior to this incident being reported to us. In fact, this particular
Reveton sample has been reported by approximately 49 of our worldwide
customers, so far. Further intelligence about this threat is listed below:

  • DTI Statistics for MD5: 01771c3500a5b1543f4fb43945337c7d
  • MD5 first seen by our customers: 2013-09-14 07:12:40
    UTC
  • Number of unique worldwide FireEye Web MPS detections:
    188+
  • Number of unique FireEye Web MPS customers
    reported/alerted on this sample: 49+
  • Number of
    industries affected: 12+

Industries affected by Reveton

Lastly, FireEye acknowledges and thanks security researchers Inaki
Rodriguez and Stephanus J Alex Taidri for bringing this issue to our attention.

Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips