Burrp compromised. Angler Exploit Kit delivers TeslaCrypt ransomware
Authored by a Symantec employee
Cybercriminals regularly use exploit kits to innovatively find vulnerabilities in systems and infect users with malware. An exploit kit opens a medium for cyber criminals to communicate with your system and feed it codes that include different types of commands. These kits are big money in the underground economy and one of the most notorious among them is the Angler Exploit Kit.
A recent victim of this Angler Exploit Kit is ‘Burrp’, a popular local food and restaurant recommendation website based in India. Burrp was compromised to redirect users to the Angler exploit kit (EK) in order to deliver the TeslaCrypt ransomware. Cyber criminals took over users’ computers and encrypted their files. They also demanded a ransom for decrypting the files.
The site has been sending users to the exploit kit since the beginning of February. Symantec notified Burrp of the compromise and the company has stated that it is working to resolve the issue. Most of the users who have been impacted by this attack are based in the US and India.
How the attack works
1. Injecting malicious code
2. Script received from the exploit kit’s server
The script then sends a POST request to the same remote location. The response to this request includes a file that redirects users to the Angler exploit kit landing page.
3. Angler attempts to exploit the vulnerabilities
If the exploit succeeds, then the TeslaCrypt payload is dropped onto the computer. If the exploit doesn’t work, then the kit drops another file with a different type of exploit to download TeslaCrypt onto the computer.
4. TeslaCrypt in action
Once TeslaCrypt arrives, it writes an executable file to memory, which carries the Trojan’s main functionality. The Trojan then drops the ransom message into every folder with encrypted files. This notice demands that the user pays in bitcoins to obtain the decryption key and restore their data.
Prevention and Protection
The best way for users to avoid infection from these types of attacks is to take preemptive action:
- Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by attackers.
- Always keep your security software up to date to protect yourself against any new variants of malware. Norton by Symantec has always been in the forefront of early detection and prevention of malicious attacks.
- Regularly back up any files stored on your computer. If your computer does become infected with ransomware, your files can be restored once the malware has been removed.
If you suspect that a site you use has been compromised, notify the site’s administrator as soon as possible to prevent the attack from spreading further.
Symantec Corporation, the world’s leading cyber security company, allows organizations, governments, and people to secure their most important data wherever it lives. More than 50 million people and families rely on Symantec’s Norton and LifeLock comprehensive digital safety platform to help protect their personal information, devices, home networks, and identities.
Copyright © 2019 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Norton, Norton by Symantec, LifeLock, and the LockMan Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Google Chrome and Android are trademarks of Google, LLC. Mac, iPhone and iPad are trademarks of Apple Inc. Microsoft and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries. The Android robot is reproduced and/or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other company names and product names are registered trademarks or trademarks of each company.