The Metasploit website describes the attack and the module as follows:
#REAL FOR MAC CODE#
The code from this URL appears to have been generated from Metasploit with a module for the Safari User-Assisted Download and Run Attack.
This page in turn loaded an iframe from the following URL: This script results in the user being brought to a page titled " Flash Player Critical Update" that was designed to appear as though it was a legitimate Adobe website. Volexity observed the following code being returned from the server upon meeting all targeting conditions:
#REAL FOR MAC MAC#
Despite the initial check ensuring the visitor is on a Mac and not running Google Chrome, it appears server-side code performs further checks before attempting to actually target the user. However, when requesting the URL with a User-Agent indicative of a Mac system using Safari, Volexity was able to intermittently get the the website to return follow on JavaScript. The prepareFrame() function effectively loads an iframe from the following attacker controlled URL:ĭuring most of Volexity's test cases, this page will only return 2 bytes back to the request. However, if initial criteria passed and the site cookie is not present or at least does not contain the value RNDsstr2Template2 or RNDsstrTemplate, the JavaScript will then create the site cookie with the value RNDsstrTemplate and then call the function prepareFrame().
The code will then extend the expiration of the site cookie with RNDsstr2Template2 as its value. If this is the case, the exploitation chain will end. If either cookie is present, it indicates that the visitor has previously visited the website and evaluated the attacker's JavaScript code. In particular a cookie named site is examined to see if it holds the value RNDsstr2Template2 or RNDsstrTemplate. If these conditions pass, cookies for the website are pulled into a variable and inspected. In particular, the JavaScript specifically checks if the vistor's User-Agent is associated with a Mac and that the browser is not Google Chrome. The attackers appear to have implemented multiple checks to make sure they limited the targeting and frequency of the attacks against visitors to the website. The following JavaScript code was observed on the index page of the Georgian language portion of the website. The attackers accomplished much of this with JavaScript they placed on the media organization's website.
#REAL FOR MAC MAC OS#
The targets were then further narrowed to those that were running the Mac OS Xoperating system, had not previously visited the website, and had specific browser versions. However, only the Georgian language portion of the website was impacted and used in an effort to distribute malware. The news organization provides reporting on its website in English, Georgian, and Russian. As part of this breach, the media organization's website was being leveraged as a component of a malware campaign targeting select visitors. Volexity recently identified a breach to the website of a well regarded media outlet in the country of Georgia.
0 kommentar(er)
