Malicious Attackers Add Malware to Guardian’s Cybercrime Article

If anything, this particular revelation shows the dark sense of warped humor by malware peddlers and cybercriminals on the internet.

The Guardian, a prominent UK publication had published an article which headlined “Cybercrime: Is it out of Control?” that claimed cybercriminals getting more audacious over time. Sure enough, cybercriminals audaciously injected a malicious URL into the syndicated links embedment on the page that redirected users to the dreaded Angler Exploit Kit malware.

Guardian srnshot

The discovery of the malware was made by security researchers J.Gomez, Kenneth Hsu and Kenneth Johnson at security firm FireEye on December 1, 2015.

The entire account of the discovery can be found in a blog post here.

An excerpt from the blog, explaining the exploit reads:

When the syndication link is loaded in the background, readers are eventually redirected to Angler’s landing page via injected HTML that crafts the request to the Angler landing page.

When it is loaded, the page executes an embedded script and redirects the reader to the Angler landing page, at which point the exploitation stage is set up with a new GET request.

Through a vulnerability in VBScript, an OLE automation including a potential Flash exploitation (quell surprise), is seen in the attack, researchers note.

Angler unconditionally attempted to exploit a popular vulnerability CVE-2014-6332. This is a memory corruption vulnerability in Windows Object Linking and Embedding (OLE) Automation that can be triggered through VBScript with Internet Explorer.

Furthermore, the researchers note that this particular exploit was based on a proof-of-concept that was publicly available. So too, were techniques that were used to try arbitrary code execution techniques.

The Angler Exploit Kit routinely looks for any security programs such as anti-virus software before determining its course of behavior. If an anti-virus product is discovered, Angler quickly forces the attack to die out and fail without being noticed or alternatively run a suitably docile script.

As usual, however, the Angler Exploit Kit malware also scans for browsers with legacy and outdated versions of Adobe Reader, Java, Flash Player, Microsoft Silverlight and other plugins to exploit vulnerabilities that are often known, in its way of delivering its payload.

Upon reaching out the publication, the researchers add that The Guardian is “aware of FireEye’s claims and are working to rectify the issue as soon as possible.”

Images from Wikimedia and FireEye.

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.