Apparently the reports of the demise of a malicious campaign were premature.
Despite initial reports that said an attack campaign stopped, instead it tricked the security vendor that discovered it into thinking it ended, said researchers at Palo Alto Networks.
The campaign first found by Zscaler affected all users visiting a certain web site. Accessing the site would redirect users to a third-party hosted page where the Angler Exploit Kit would infect victims with the CryptoWall 3.0 ransomware.
Zscaler observed the attack 24 hours but said it stopped after that.
As per Palo Alto Networks’ routine of analyzing and monitoring the security threats discovered by other vendors, the company observed, in spite of Zscaler’s initial conclusion, the threat originating from this domain continued to manifest itself, even days after the first sighting, not just 24 hours.
Palo Alto researchers said this by a “dormant” and “filtering” functionality included in the campaign’s malicious code.
Apparently, the attackers deliver the malicious code to targets only the first time they visit the site, as a precautionary measure to avoid analysis and reverse engineering by security researchers.
Additionally, the malicious payload executes only when the site ends up accessed from specific IP ranges, and to users with particular local software configurations, to maximize the exploit kit’s efficiency and probably to save bandwidth in cases where Angler refuses to execute.
Because of this dormant functionality, Palo Alto said initial reports of the campaign’s shutdown were false.
“At the time of this report, using our malicious web content scanning system, we have already discovered more than 4,000 additional, similarly compromised websites globally exhibiting the same ability of being able to be dormant or active depending on source IP and user agent,” said Palo Alto’s Yuchen Zhou and Wei Xu in a blog post.