Blog Post

The Unwinnable Match: Losing Even If Your Team Wins

2019 has been a big year for international sports with events such as the NBA finals, the Cricket World Cup, and FIFA’s Women’s World Cup (just to name a few) garnering massive viewing audiences around the world. So how does one stay current with these massive events if they don’t have the right cable package to watch them? Aside from going to a friend’s house or a bar, they search for a free viewing on the Internet.

At Awake, we have observed a recent spike in individuals streaming sports events while at work. In fact, more than half of our customers have had to deal with employees violating acceptable use policies to stream free content. What’s worse is that many of these instances have resulted in what is known as a drive-by download, where an adversary gains access to a system through a user visiting a seemingly benign website that is in fact compromised and downloads malicious code. With this technique, it is usually the user’s web browser that is targeted for exploitation or to install “man-in-the-browser” tools. In fact, there are often multiple malicious code snippets on the site in hopes that one will work on the user’s system/browser. Another common technique redirects the victim from the initial site to a page that hosts malicious content. In this case, the malicious actor hopes that the user falls for the trap and visits one of the malicious links listed on the site.

Let’s take a look at an interesting example recently uncovered at a customer. Here we have a user who is browsing Reddit looking for a free stream of a soccer (football) match. It appears the user did then find a site which they believe to be a safe environment to watch the match.

Within two seconds of going to the stream, the user is redirected and immediately downloads a suspicious JavaScript file, as shown below. The domain the user found and assumed to be safe actually had malware on it in the form of a JavaScript/iframe.

This behavior was detected by a model within the Awake Security Platform that looks for statistically suspicious file names (based on length, characters, etc.) from a rare and suspect destination. Forensic analysis of the JavaScript file that triggered this model displays several malicious behaviors ranging from opening the service control manager to installing hooks/patches on processes running, all of which can be used for privilege escalation and credential abuse. In fact, we were able to confirm compromise since seconds later the platform observed HTTP POST requests from the victim to a file server and beaconing out to several Internet locations with a less than stellar reputation.

Pasted Graphic_1.png

In this case, the quick detection enabled the customer to remediate the issue before a widespread infection. But this is a prime example of why user awareness and training are critical to decreasing the risk an organization faces. Additionally, when the inevitable does happen, a network traffic analysis tool that can identify behavioral threats acts as a powerful backstop.

Indicators

Attacker infrastructure:

Eric Poynton
Eric Poynton

Lead Network Threat Hunter