Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
Traffic is the lifeblood of the cybercrime ecosystem. It is a core commodity enabling cybercriminals to monetize their operations in various ways. For example, in our recent analysis of a fake Russian dating scheme, we observed that fraudsters used online ads to push web traffic to their sites and hijacked web browsers with adware to redirect victim computers. Meanwhile, other actors tap into traffic for much more illicit reasons, such as hijacking traffic from large advertising networks, carrying out phishing attacks, and distributing malware to vulnerable computers.
Many attackers take active steps to protect this source of revenue, utilizing various traffic and device filtering techniques to block out security researchers and optimize the type of traffic they receive. In today’s post, we’ll examine a campaign RiskIQ has been tracking for several weeks involving traffic monetization and filtering, obfuscation, and several thousand compromised web servers.
This particular campaign, which we have named CaesarV after its use of a Caesar cipher to obfuscate code on its pages that cause redirection, uses spam to generate traffic. Spam builds traffic by sending malicious URLs and attachments to a large number of contacts that may have been stolen from address books, harvested from websites, collected from data breach dumps, or purchased from various sellers and marketing database suppliers. When one of these recipients clicks the URL embedded in the spam email, they are sent to a page on a compromised web server which then distributes the traffic among several different scam pages.
Fig-1 Response body of a CaesarV page on a compromised server
Shown above is the response body from one of the CaesarV pages detected by RiskIQ. It contains a few interesting elements including the script (highlighted), which acts as a Caesar cipher. The variable castlesa=61 defines the shift for all of the numbers in the castlesb array, meaning each number in the castlesb array is a character code with 61 added to it. After deobfuscation, the character code array resolves to this redirection:
The result is an affiliate offer for a scam page using a fake news story to sell pills endorsed by Stephen Hawking that purport to improve intelligence.
Fig-2 Scam page redirected to via CaesarV. Also, how do you mistake Wolf Blitzer for Anderson Cooper?
Other observed redirections have landed on fake tech support scams, fake Flash update pages, fake diet pills, and other similarly scammy pages. Since RiskIQ began detecting this behavior, we’ve seen several thousand samples pointing to an equally high number of compromised web servers since at least the beginning of 2017—and possibly much longer.
The actor(s) responsible for CaesarV work by finding vulnerable servers, compromising them, and loading several files onto them, including the PHP files containing the CaesarV code. Analysis of a server hosting CaesarV showed that, following initial compromise, the file /tmp/rnd is written to disk and the perl process is spawned, which then removes the /tmp/rnd file. The perl process then downloads several PHP files from a remote host with the following response headers:
Fig-3 Response headers from remote CaesarV host
Following the download, the process opens listening TCP port 23213. Several inbound connections on this port are received from 18.104.22.168, which is running FTP on port 21, SSH on port 22, HTTP on port 81, and an unknown service on port 84.
22.214.171.124 AS29073 | NL | QUASINETWORKS
RiskIQ analyzed one of the PHP files loaded onto a server after initial compromise. This particular file is hardcoded to create the redirection page and attempts to perform other actions on the compromised server. The file includes an array of words from which the name of the variables in the Caesar cipher script is selected, as well as an array of numbers from which to select the shift for the character codes in the cipher.
There is also a function involving a cookie check and manipulation of htaccess files on the server. If the page is visited by a browser with the correct cookie set, the script will attempt to change permissions on htaccess files on the compromised server to make them writable and then delete them, possibly exposing restricted access in the server’s document root to allow access or to remove restrictions from directory paths.
Fig-4 Cookie and change permissions functions of PHP file loaded onto a compromised server
There is money to be made in a compromised server, and there are an awful lot of vulnerable servers out there waiting to be compromised. In the case of CaesarV, the value comes from the use of an enormous set of domains to which the actor can link for redirection of their spam-created traffic to scam sites. As long as there are vulnerable systems and means of monetizing their compromise, there will continue to be attacks that place them in the hands of malicious actors.
RiskIQ monitors this type of activity on a continual basis using our web data collection platform driven by virtual users and URL Intelligence services. Staying informed on the use of tactics such as these in the threat space is helpful in today’s battle to protect users and systems from external threats.
RiskIQ Community project.
Questions? Feedback? Email firstname.lastname@example.org to contact our research team.
RiskIQ is the leader in attack surface management. We help organizations discover, understand, and mitigate exposures across all digital channels.
#RDP is now a top #ransomware attack vector. As #COVID19 forced businesses to operate remotely, RiskIQ detected in a significant spike in RDP instances worldwide. Is your organization keeping track of internet-exposed services across its attack surface? https://bit.ly/3dr7Qgv
Via @Forbes: #COVID19 meant the redistribution of your company—staff, operations, and digital presence—outside the firewall. It also meant the redistribution or your attack surface, which requires a new approach to protect https://bit.ly/3e4ZjQy
RiskIQ's #COVID19 Internet Intelligence Gateway is a one-stop resource center for fighting pandemic-related cybercrime. Access crucial intelligence including reports and blacklists, and command our global crawling network to analyze suspicious URLs https://bit.ly/3gufrNr
4 out of 5 digital assets contain vulnerable web components, both corporate-owned and third-party. We'll show you how to discover these unknowns and investigate threats targeting them. https://bit.ly/3cOzJ0T