Sprashivai, a popular Russian Q&A and social networking site similar to Yahoo! Answers, has been compromised by an actor attempting to silently redirect users to the RIG Exploit Kit via an injected iFrame.
Forcepoint’s research division, Forcepoint Security Labs, analyzed the campaign.
“The RIG Exploit Kit operators are looking to maximize their profit by compromising a very popular site in Russia,” said Carl Leonard, principal security analyst, Forcepoint. “By executing the SmokeLoader malware on Sprashivai[.]ru, threat actors are able to compromise users' machines silently in the background without any user interaction necessary.”
The SmokeLoader malware is a trojan which downloads other components (i.e. click-fraud, credential stealers etc.), and it’s being dropped by the RIG EK. SmokeLoader's primary purpose is to download plug-ins which contain malicious functionality such as credential stealers and click-fraud components.
Sprashivai logs around 20 million visitors each month. “This current threat could affect hundreds of thousands of users by simply taking advantage of outdated browser components, such as an old Adobe Flash Player, meaning that it is vital to ensure that all software is up to date, especially browsers and associated plug-ins,” said Leonard.
He added, “Threat actors will always continue to compromise popular sites and develop new and unique ways to try and stay undetected. These criminals do not always need to resort to malvertising to tap into a pool of millions of potential victims. While crypto-ransomware remains one of the most popular weapons of choice, we are seeing that malware developers and distributors also continue to use downloaders like SmokeLoader to ultimately steal data.”
The Forcepoint team also discovered that the malware’s multi-stage technique is what is making it difficult for anti-virus solutions to detect, because NSIS files themselves are legitimate and the scripting ability makes them extremely versatile.
Unfortunately, the site continues to be dangerous. “Sprashivai has been compromised since at least June 23 and was still compromised when we checked again on June 29. We notified Sprashivai of the compromise on June 27 but have not heard anything back,” said Nicholas Griffin, senior security research at Forcepoint.
Photo © Michael Rosskothen