20min.ch Malvertising Incident

Published on 2016-04-08 09:38:00 UTC by GovCERT.ch (permalink)
Last updated on 2016-04-08 10:16:42 UTC

With this blog post we would like to share Indicators Of Compromise (IOCs) related to the attacks against 20min.ch, a popular newspaper website in Switzerland which got compromised and abused by hackers to infect visitors with an ebanking Trojan called Gozi ISFB. The IOCs shared in this blogpost may be used to spot infections within corporate networks.

The compromise of 20min.ch is just one part of a bigger malvertising campaign that is targeting Swiss internet users since at least spring 2015, The goal of the campaign is to infect Swiss citizens with Gozi ISFB and committing ebanking fraud (see Swiss Advertising network compromised and distributing a Trojan and Gozi ISFB - When A Bug Really Is A Feature). MELANI / GovCERT.ch is aware of thousands of computers that got infected by Gozi ISFB in the past months and subsequently were used to access ebanking accounts without the victim’s consent.

We are aware that this Gozi campaign is not only targeting Swiss citizens, but also corporate bank accounts of small- and medium businesses in Switzerland. We therefore recommend SMBs in Switzerland to review their IT-Security arrangements accordingly (see our recommendations at the end of the blog post).

Below is a list of IOCs associated with this Gozi ISFB campaign.

Exploit Kit infrastructure (used to distribute Gozi ISFB):
45.63.14.98
148.251.167.198
ytjrjthgfjhgfhg.co.vu
ads.newscee.com

Gozi C&C DGA domains:
cwwwsitemapwwwwww.su
sitsitemapnot.su
disasitemapwwwyandexbot.su
ccomsitemapagcom.su
csitbrowsewwwwwwwww.su
loginhelpsucesssitemap.su
comwwwcomcomsitsitwcwcom.su
cloginhelpsucess.su

Gozi C&C IP address:
151.80.171.200

Gozi bootstrap server:
141.255.165.122

Malware sample:
MD5 d4528a53acc47d8ed14b11a2484b83ea
SHA256 582004916eaa13ac0b8bf717840b696b6d71644264bd95613c6c8bf26c49f657

The infection chain is as follows:

  1. The swf file on 20min.ch contains an embedded Javascript which does a basic fingerprint using User Agent and Cookie. Based on this information a decision is made whether to redirect to the infection site or not.
  2. Redirect to the exploit Kit where a VB Script is downloaded with another check which exploit would suit the target
  3. Infect the device with Gozi in the form of a .dll that is made persistent via registry key (rundll) under HKEY\CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. The dll resides in the %APPDATA% folder of the user.

We are notifying Internet Service Providers (ISPs) and network owners in Switzerland about Gozi infections in their IP space that we become aware of. If you get informed by your ISP about such an infection, we highly recommend you to clean up the infected machine by reinstalling the operating system. Please consider that not all Antivirus software is able to spot a Gozi infection. Hence a full reinstall of the operating system is recommended.

Recommendations

You can find further documentation how to prevent getting infected by malware below.

For end users:

MELANI Verhaltensregeln
https://www.melani.admin.ch/melani/de/home/schuetzen/verhaltensregeln.html

MELANI Règles de comportement
https://www.melani.admin.ch/melani/fr/home/schuetzen/verhaltensregeln.html

MELANI Regole di comportamento
https://www.melani.admin.ch/melani/it/home/schuetzen/verhaltensregeln.html


For small and medium businesses:

Merkblatt IT-Sicherheit für KMUs
https://www.melani.admin.ch/melani/de/home/dokumentation/checklisten-und-anleitungen/merkblatt-it-sicherheit-fuer-kmus.html

Sécurité informatique: aide-mémoire pour les PME
https://www.melani.admin.ch/melani/fr/home/documentation/listes-de-controle-et-instructions/securite-informatique--aide-memoire-pour-les-pme.html

Promemoria sulla sicurezza informatica per le PMI
https://www.melani.admin.ch/melani/it/home/dokumentation/liste-di-controllo-e-guide/promemoria-sulla-sicurezza-informatica-per-le-pmi.html


Further reading on this Gozi campaign:

Swiss Advertising network compromised and distributing a Trojan
http://www.govcert.admin.ch/blog/13/swiss-advertising-network-compromised-and-distributing-a-trojan

Gozi ISFB - When A Bug Really Is A Feature
http://www.govcert.admin.ch/blog/18/gozi-isfb-when-a-bug-really-is-a-feature

Share on Twitter Share on Facebook

Back to top