Criminals have breached the popular Russian boxing portal allboxing.ru and installed a redirect to a third party banking Trojan.
The popular Russian boxing site allboxing.ru has been hacked by a hacker or a criminal collective. The portal has been compromised to include a redirection to a third-party site that contains a banking Trojan. The issue was discovered by researchers from Forcepoint Security Labs. The site is extremely popular in Russia, having about 3 million visitors per month.
The injected code silently redirects the users of the site to a third-party site that contains an exploit. The code uses several tactics and makes sure that the redirect executes only when a certain amount of user interaction with the infected site has been noted.
The code injection appears to load a jQuery plugin called “jQuery Animate Plugin v1.2” while in fact loading a counterfeit plugin. The criminal operators of the hack have made a significant effort to fool the programmers by blending with the legitimate source code by using the same formatting and code style.
The modified script loads another one which then runs an executes several commands from the attacker websites. It is interesting that there is a browser check function – Chrome and Opera users are not vulnerable as the attack cannot exploit their security mechanisms.
The user checks the user activity on the hacked site by watching for clicking, scrolling, and movement of the cursor. The attackers have created weighting scores to define a threshold level above which the redirection is executed. This is a good stealth tactic that prevents automated analysis from discovering the exploit. Another clever idea that has been employed is the use of the redirection domain and URL path which use well-known boxing terms.
The malicious script on the remote attacker site contains a Visual Basic script that exploits the CVE-2016-0189 vulnerability and attempts to run a Powershell script on the victim machine. The end goal is to distribute the Buhtap banking Trojan.