A popular Russian boxing site (allboxing.ru) boasting 3 million visitors per month has been infected by highly evasive code. It that attempts to silently redirect users to a third-party website containing an exploit and a Russian banking trojan—but only if the user is active on the site.
According to Forcepoint Security Labs, the injected code employs several evasion tactics. For one, “the attacker has made significant effort to blend in with the legitimate content by using the same formatting and comment style,” said Forcepoint Security’s Nicholas Griffin, in an analysis.
The attacker also attempts to insert a malicious script from his or her own website—but it’s not inserted if the user's browser is either Chrome or Opera, presumably because the attacker is not able to exploit these browsers.
The domain name and URL path used for the third-party site is also clever: It uses the term "canvas," which is a well-known boxing term, and the URL contains the word "sport."
And perhaps most notably on the stealth front, the script ensures that sufficient user interaction has occurred from either clicking, scrolling or moving the mouse. The attacker has given different weighting scores to the different types of user interaction and will only insert the iFrame once the threshold score is above 30. This is a stealth tactic used to prevent automated analysis systems from being redirected to the exploit, Griffin explained.
“This makes the URL appear a lot less suspicious considering that allboxing.ru is a boxing news site,” Griffin said.
If all the boxes are ticked, the script downloads a variant of the Buhtrap Russian banking trojan. Buhtrap is a criminal cyber-hacking group that targets financial institutions. As reported by Group-IB, Buhtrap has been active since 2014. From August 2015 to February 2016, it managed to conduct 13 successful attacks against Russian banks and defrauded them of a total of $25.7 million.
“Attackers are getting better at disguising the code they inject into compromised websites,” said Griffin. “Websites with high volumes of traffic are a popular choice for attackers, and this is especially true if the bulk of the traffic is from a specific region of the world of interest to the attacker. With the recent arrests of actors using the Lurk banking trojan, Buhtrap appears to be a likely alternative for actors wishing to target Russian banks and software.”
Photo © Jack Dagley Photography