20min.ch Malvertising Incident

Published on April 8, 2016 09:38 UTC by GovCERT.ch (permalink)
Last updated on April 8, 2016 10:16 UTC

With this blog post we would like to share Indicators Of Compromise (IOCs) related to the attacks against 20min.ch, a popular newspaper website in Switzerland which got compromised and abused by hackers to infect visitors with an ebanking Trojan called Gozi ISFB. The IOCs shared in this blogpost may be used to spot infections within corporate networks.

The compromise of 20min.ch is just one part of a bigger malvertising campaign that is targeting Swiss internet users since at least spring 2015, The goal of the campaign is to infect Swiss citizens with Gozi ISFB and committing ebanking fraud (see Swiss Advertising network compromised and distributing a Trojan and Gozi ISFB - When A Bug Really Is A Feature). MELANI / GovCERT.ch is aware of thousands of computers that got infected by Gozi ISFB in the past months and subsequently were used to access ebanking accounts without the victim’s consent.

We are aware that this Gozi campaign is not only targeting Swiss citizens, but also corporate bank accounts of small- and medium businesses in Switzerland. We therefore recommend SMBs in Switzerland to review their IT-Security arrangements accordingly (see our recommendations at the end of the blog post).

Below is a list of IOCs associated with this Gozi ISFB campaign.


Exploit Kit infrastructure (used to distribute Gozi ISFB):

45.63.14.98

148.251.167.198

ytjrjthgfjhgfhg.co.vu

ads.newscee.com



Gozi C&C DGA domains:

cwwwsitemapwwwwww.su

sitsitemapnot.su

disasitemapwwwyandexbot.su

ccomsitemapagcom.su

csitbrowsewwwwwwwww.su

loginhelpsucesssitemap.su

comwwwcomcomsitsitwcwcom.su

cloginhelpsucess.su



Gozi C&C IP address:

151.80.171.200



Gozi bootstrap server:

141.255.165.122



Malware sample:

MD5 d4528a53acc47d8ed14b11a2484b83ea

SHA256 582004916eaa13ac0b8bf717840b696b6d71644264bd95613c6c8bf26c49f657

The infection chain is as follows:

The swf file on 20min.ch contains an embedded Javascript which does a basic fingerprint using User Agent and Cookie. Based on this information a decision is made whether to redirect to the infection site or not.
Redirect to the exploit Kit where a VB Script is downloaded with another check which exploit would suit the target
Infect the device with Gozi in the form of a .dll that is made persistent via registry key (rundll) under HKEY\CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. The dll resides in the %APPDATA% folder of the user.

We are notifying Internet Service Providers (ISPs) and network owners in Switzerland about Gozi infections in their IP space that we become aware of. If you get informed by your ISP about such an infection, we highly recommend you to clean up the infected machine by reinstalling the operating system. Please consider that not all Antivirus software is able to spot a Gozi infection. Hence a full reinstall of the operating system is recommended.