- Jun 9, 2013
- 6,720
Sprashivai, a popular Russian Q&A and social networking site similar to Yahoo! Answers, has been compromised by an actor attempting to silently redirect users to the RIG Exploit Kit via an injected iFrame.
Forcepoint’s research division, Forcepoint Security Labs, analyzed the campaign.
“The RIG Exploit Kit operators are looking to maximize their profit by compromising a very popular site in Russia,” said Carl Leonard, principal security analyst, Forcepoint. “By executing the SmokeLoader malware on Sprashivai[.]ru, threat actors are able to compromise users' machines silently in the background without any user interaction necessary.”
The SmokeLoader malware is a trojan which downloads other components (i.e. click-fraud, credential stealers etc.), and it’s being dropped by the RIG EK. SmokeLoader's primary purpose is to download plug-ins which contain malicious functionality such as credential stealers and click-fraud components.
Sprashivai logs around 20 million visitors each month. “This current threat could affect hundreds of thousands of users by simply taking advantage of outdated browser components, such as an old Adobe Flash Player, meaning that it is vital to ensure that all software is up to date, especially browsers and associated plug-ins,” said Leonard.
He added, “Threat actors will always continue to compromise popular sites and develop new and unique ways to try and stay undetected. These criminals do not always need to resort to malvertising to tap into a pool of millions of potential victims. While crypto-ransomware remains one of the most popular weapons of choice, we are seeing that malware developers and distributors also continue to use downloaders like SmokeLoader to ultimately steal data.”
Full Article. Top Russian Site Exposes Millions to Info-Stealing Malware
Forcepoint’s research division, Forcepoint Security Labs, analyzed the campaign.
“The RIG Exploit Kit operators are looking to maximize their profit by compromising a very popular site in Russia,” said Carl Leonard, principal security analyst, Forcepoint. “By executing the SmokeLoader malware on Sprashivai[.]ru, threat actors are able to compromise users' machines silently in the background without any user interaction necessary.”
The SmokeLoader malware is a trojan which downloads other components (i.e. click-fraud, credential stealers etc.), and it’s being dropped by the RIG EK. SmokeLoader's primary purpose is to download plug-ins which contain malicious functionality such as credential stealers and click-fraud components.
Sprashivai logs around 20 million visitors each month. “This current threat could affect hundreds of thousands of users by simply taking advantage of outdated browser components, such as an old Adobe Flash Player, meaning that it is vital to ensure that all software is up to date, especially browsers and associated plug-ins,” said Leonard.
He added, “Threat actors will always continue to compromise popular sites and develop new and unique ways to try and stay undetected. These criminals do not always need to resort to malvertising to tap into a pool of millions of potential victims. While crypto-ransomware remains one of the most popular weapons of choice, we are seeing that malware developers and distributors also continue to use downloaders like SmokeLoader to ultimately steal data.”
Full Article. Top Russian Site Exposes Millions to Info-Stealing Malware
Last edited by a moderator:
