December 29, 2016

Arctos Threat Research team has discovered a new attack campaign that downloads Cerber ransomware from hijacked public websites of well known organizations.

In a recent attack, the website of Hindustan Petroleum Corporation Limited (, one of Indian Public sector companies is hijacked by hackers to serve a ransomware. The website is compromised and the content of the website is tampered with a malicious link which can infect the computer anybody who visits the website. Arctos Threat Research Lab has an automated threat monitoring crawler system that monitors websites for compromise and malicious content. Our system monitors thousands of websites which have more than 1000 visitors per day.

As per the globally followed security compromise reporting guidelines, we have notified Hindustan Petroleum on their corporate email but unfortunately there was no action taken related to this [website continues to serve malware at the time of publishing this blog]. We are blogging our findings for public awareness.

We observed the site injecting iframe in the landing page. The injected iframe is updated every day to serve new malware from different sources.

hpinjectediframe 0 o                                        Fig: injected iframe in Hindustan Petroleum home page

We observed the website for last 5 days and found that the injected iframe URL getting updated daily.

urliniframe 0 o                                       Fig: List of hidden url in iframes on various dates

The iframes redirect the browser to landing page which is highly obfuscated to evade detection by signature based detection technologies.

highlyobfuscatedlandingpage 0 o                                                               Fig: highly obfuscated landing page 

Arctos Ateles engine has the ability to interpret, deobfuscate and emulate highly obfuscated java scripts code which gives better insight into such sophisticate threats.
deobfuscatedbyarctosatelesengine 0 o                                               Fig: landing page deobfuscated by Arctos Ateles engine.

Arctos Ateles engine has identified this web page hosting RIG exploit kit. Upon visiting the website exploits were delivered to our analysis system.
rigexploitkit 0 o
RIG exploit kit serves following exploits to visitor’s computer.

● CVE-2016-0189

exploit2016 0189 0 o

● CVE-2014-6332
exploit2014 6332 0 oUpon successful exploitation, Cerber ransomware is downloaded to the victim’s computer system from which the website has been accessed.

cerber 0 o
Cerber is a notorious ransomware known to encrypt documents on victim’s computer and demand a ransom. The files encrypted by Cerber ransomware .
filename 0 o

We will continue to update the blog with more information related to Cerber ransomware analysis.

It is difficult to detect this exploit with existing detection technologies as it is highly polymorphic.
Arctos Ateles engine has the ability to interpret, decrypt and emulate the obfuscated contents in website pages to identify exploits. Ateles engine works with other threat detection techniques like behavior detection, network anomalies, and analytics to successfully detect complex evading threats.

News Courtesy :