Website Add-on Targets Japanese Users, Leads To Exploit Kit

In the past few weeks, an exploit kit known as FlashPack has been hitting users in Japan. In order to affect users, this particular exploit kit does not rely on spammed messages or compromised websites: instead, it uses a compromised website add-on.

This particular add-on is used by site owners who want to add social media sharing buttons on their sites. All the site owner would have to do is add several lines of JavaScript code to their site’s design template. This code is freely available from the website of the add-on.

The added script adds an overlay like this to the site’s pages:

Figure 1. Added share buttons

To do this, a JavaScript file on the home page of the add-on is loaded. This alone should raise red flags: it means that the site owner is loading scripts from an external server not under their control. It’s one thing if it loads scripts on trusted sites like Google, Facebook, or other well-known names; it’s another thing to load scripts on little-known servers with no name to protect.

As it turns out, this script is being used for malicious purposes. On certain sites, instead of the original add-on script, the user is redirected to the script of FlashPack, like so:

GET http://{add-on domain}/s.js HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv: Gecko/20101203 Firefox/3.6.13
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: {victimized website}
Host: {add-on domain}

The text above is the HTTP request for the script of the add-on, with the URLs partially obfuscated. Below is the reply from the server:

HTTP/1.1 302 Found
Date: Thu, 14 Aug 2014 02:39:45 GMT
Server: Apache/2.2.26 (Unix) mod_ssl/2.2.26 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/
Location: {exploit kit URL}
Content-Length: 386
Connection: close
Content-Type: text/html; charset=iso-8859-1

Note that loading the s.js file directly will simply load the “correct” script for the add-on. One site which, if found in the Referer header, will trigger the exploit kit is a well-known free blogging site in Japan. The exploit kit delivers various Flash exploits to targeted users; in at least one of these cases a Flash vulnerability (CVE-2014-0497) which was patched in February was used in the attack. We have seen that  TROJ_CARBERP.YUG is downloaded onto the affected system.

The attack itself is aimed heavily at Japanese users. At least approximately 58,000 users have been affected by this attack, with more than 87% of these coming from Japan. The landing pages of the exploit kit are hosted in servers in the Czech Republic, the Netherlands, and Russia.

Number of Hits by Country-01

Figure 2. Number of hits by country from August 1 to 17

How can users and site owners prevent these attacks? Site owners should be very cautious about adding add-ons to their site that rely on externally hosted scripts. As shown in this attack, they are trivial to use in malicious activities. In addition, they can slow the site down as well. Alternatives that host the script on the same server as the site itself are preferable.

This incident illustrates for end users the importance of keeping software patched. The vulnerability we mentioned above has been fixed for half a year. Various auto-update mechanisms exist which can keep Flash up to date.

Trend Micro products and solutions block the sites and detect the malicious files that are part of this attack. In addition, the browser exploit prevention technology that is a part of our endpoint solutions is capable of preventing this attack from taking place in the first place.

With additional insights from Walter Liu

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Website Add-on Targets Japanese Users, Leads To Exploit Kit

Read more: Website Add-on Targets Japanese Users, Leads To Exploit Kit

Incoming search terms

Story added 22. August 2014, content source with full text you can find at link above.