On September 18, 2014, RiskIQ detected credential-stealing malware being loaded onto users' computers through a drive-by download at jQuery.com. The malware attack was carried out using RIG exploit kit to target visitors. RiskIQ was able to confirm with sources at several large organizations that users of jQuery.com were indeed redirected to this exploit kit.
The jQuery library is a very popular toolkit for developing websites with dynamic content and is widely used by developers within enterprises. According to internal jQuery research, jQuery is used by 30% of websites on the entire Internet, including 70% of the top 10,000 websites in the world.
It's important to note that we did not observe any changes within the jQuery library itself, which was likely unaffected by this compromise. However, discovering information-stealing malware on jQuery.com is particularly disconcerting because of the demographic of jQuery users. jQuery users are generally IT Systems Administrators and Web Developers, including a large contingent who work within enterprises.
Typically, these individuals have privileged access to web properties, backend systems and other critical infrastructure. Planting malware capable of stealing credentials on devices owned by privilege accounts holders inside companies could allow attackers to silently compromise enterprise systems, similar to what happened in the infamous Target breach.
RIG was first uncovered in April 2014 and caught the attention of Cisco researchers in June. In the past, RiskIQ and Symantec researchers have observed RIG on popular websites such as askmen.com. Typically, RIG has been observed dropping banking trojans and other information stealers.
Planting malware on open source websites is not a new technique. These websites are high value targets due to the type of users that frequent them. Several other high profile, open source websites have had this issue in the past. For example, in 2013 PHP.net suffered similar problems, along with MySQL.com in 2011.
We recommend the following if you suspect a system has been affected by this campaign:
- Immediately re-image system
- Reset passwords for user accounts that have been used on the system
- See if any suspicious activity has originated from the offending system
Technical Details:
Using our site-scanning technology, we were able to detect a change within jQuery.com. Approximately 10-15 minutes after our system detected it, we analyzed the site and detected that a malicious script tag was added. This malicious script then added an invisible iframe that redirected users to RIG exploit kit, which is typically used to drop banking trojans as well as other information stealers.
Initial content added to jQuery.com:
Redirection Sequence:
This malicious redirector was hosted in Russia on a domain that was registered on September 18, the morning of the malware attack. We believe that this domain was intended specifically to blend into the website.
After verifying that the site was indeed redirecting users to a malware dropper, we immediately contacted jQuery.com to alert them to the malware attack. While they weren't able to determine the root cause of the malware attack, the site's administrators were addressing the issue.
Hitting this redirector, we continued to be redirected to the RIG exploit kit, even though we weren't able to replicate the script injection on jQuery.com with subsequent requests.
As of this writing, jquery-cdn[.]com was still up and redirecting users to RIG exploit kit.
Information about the domain:
Domain Name: jquery-cdn[.]com
Created On: 2014-09-18
Expiration Date: 2015-09-18
Hosted at:
jquery-cdn.com. 5774 IN A 46.182.31.77
Whois information on the hosting provider:
inetnum: 46.182.28.0 - 46.182.31.255
netname: SELECTEL-NET
descr: Selectel Ltd.
country: RU
admin-c: AKME
tech-c: AKME
status: ASSIGNED PA
mnt-by: MNT-SELECTEL
source: RIPE # Filtered
The exploit kit is hosted at the same hosting provider:
woitp[.]bestburaco[.]com -> 31.186.100.67
inetnum: 31.186.100.0 - 31.186.103.255
netname: SELECTEL-NET
descr: Selectel Network
country: RU
admin-c: akme
tech-c: akme
status: ASSIGNED PA
mnt-by: MNT-SELECTEL
source: RIPE # Filtered
Please download our detailed incident report and review these frequently asked questions for more information.
We will continue to monitor this situation and post any updates in this blog. In the meantime, jQuery.com users should scan their systems for malware.
