'Burrp' compromised to deliver Angler EK's and TeslaCrypt

Burrp, a popular Indian restaurant recommendation site, is now serving its users an inedible dish of a malicious trojan (ransomware) after the site was being compromised.

The visitors of the site were redirected to the Angler exploit kit (EK) which then downloaded TeslaCrypt ransomware to their computers.

Symantec (which notified Burrp of the compromise) claimed that, “The attack appears to be related to a technique described in a recent SANS advisory, as it used the gateway [MALICIOUS SITE].info/megaadvertize.”

Burrp got infected as the attackers injected code into one of the site’s JavaScript files (jquery-form.js). When users tried to create a search using the form they were immediately redirected to the site serving up the Angler EK which then deployed TeslaCrypt on unprotected machines.

According to Symantec, once the EK’s landing page has been decrypted using a key sent to the computer , “it attempts to exploit the Microsoft Windows OLE Remote Code Execution Vulnerability(CVE-2014-6332). If the exploit succeeds, then the TeslaCrypt payload is dropped onto the computer.”

“If the exploit doesn’t work, then the kit drops an .swf file with an exploit for the Adobe Flash Player and AIR Unspecified Integer Overflow Vulnerability (CVE-2015-8651) to download TeslaCrypt onto the computer.”

The Angler Exploit Kit has also been observed delivering exploits for the Microsoft Silverlight Remote Code Execution Vulnerability (CVE-2016-0034).

It was also observed that the malicious url in the Burrp compromise contained the "megaadvertize" string but it has since changed to "hellomylittlepiggy."

Meanwhile, most of the users affected by the compromise are from the United States and India. Burrp has taken cognizance of the issue and is working to resolve it.

Share this with Your friends: