Over 1000 Polish websites have been infecting the computers of its visitors with malware. This is one of the biggest attacks on Polish Internet users. And it was detected by our Security Operations Center (SOC) team.
Watering hole – this is the name that cybersecurity specialists give to websites that inject malicious software to user devices. It is an extremely popular operational pattern for cybercriminals. It is even possible to order a campaign on black market forums – you pay for the number of infected machines. Infected computers can, e.g., stay encrypted to extort ransom, be used within a massive attack on a server or for simply “listening” for entered passwords, PIN numbers or credit card numbers. Interestingly – watering holes are not websites that are niche, contain illegal software or are untrusted. These are often well-known sites.
After a several week-long investigation, the specialists from our SOC cybersecurity centre discovered a huge network of such watering holes “working for” cybercriminals. They also identified a server that was controlling this network and its operating mechanism. It was located, let us say, outside central and western Europe. In fact, work on such cases is the daily routine for cybersecurity specialists. However, the process of finding out the truth sheds light on contemporary investigation methods. This is a short story of such a procedure.
A single byte
It all started with finding one watering hole. This was possible because Exatel has many probes installed on clients’ network Internet connection points. As a result, our specialists were able to see what data is sent to an internal network and what data leaves it. In this case, they tested a malware code sample and the analysts investigated the structure of the infected website.
It is usually very difficult to precisely define how an infection mechanism works. Cybercriminals are very good at disguising themselves. However, the inquisitiveness of IT specialists paid off, and a very minor mistake by a cybercriminal also helped. A malicious code was caught leaving one additional character in the website code. The infected website “knows” a user’s country of origin, and what computer, IP address and web browser he/she uses. Depending on that info, it selects the malicious code type.
An analysis of hundreds of thousands of examples enabled identifying 1000 websites serving malware to clients. What is interesting, the Exatel SOC method allowed identifying a watering hole that is, at the time, off – remember that they operate as part of purchased campaigns.
Five weeks of shadowing
Finding a watering hole is sometimes a matter of chance, followed by strenuous work. In the case at hand, a month and a half ago, our probe recorded that a client’s website was behaving strangely and was probably infected. It turned out that someone had used it to install a mechanism that inserted infected code to user machines via a so-called RIG exploit-kit.
Owing to the fact that its developers overlooked that a single extra character was left in the website code, it was possible to find the first trace. So, it was realized that websites with similar traces had to be observed. After several weeks of observations, our specialists discovered a script injection pattern and the address of the server that controlled the entire process.
Most probably, once this text is published, the perpetrators will immediately remove the bug that enabled seeing through their plans. However, the educational value of this story cannot be overestimated. Remember that there are no trusted sites on the Internet. Please also do not forget about updating your security measures. It is also worth following what the experts say. And they had been talking about the possibility of such a threat for a long time.
