Researchers hijack huge network of hacked sites that spread ransomware, banking trojans

Researchers have severed a link between criminals running the ElTest malware distribution network and computers they infected with ransomware and banking trojans.

Researchers at Proofpoint, abuse.ch and brilliantit.com have “sinkholed” ElTest, breaking a large network of legitimate but compromised websites that was capable of conducting two million redirects per day to various exploit kits. The attacks targeted Chrome desktop and Chrome on Android, Internet Explorer, and Firefox browsers.      

ElTest has been in operation since 2011 and is known to have redirected browsers to a several major exploit kits, including Angler, RIG, and Neutrino. ElTest formed a key link in an infection chain that delivered banking malware, including Ramnit, Qadars, Kronos, DarkCloud, and Gootkit, as well as several ransomware variants including CryptXXX, Cerber, and CryptFile2.      

According to Proofpoint researcher Kafeine, ElTest’s operators were selling traffic to compromised websites in blocks of 50,000 to 70,000 visitors at a rate of $20 per thousand, which earned them between $1,000 and $1,400 per block. 

The researchers seized ElTest’s command and control domains in mid-March which now pointing to an abuse.ch sinkhole that receives all traffic from backdoors on the compromised websites. The action frees up the compromised sites and prevents ElTest’s operators from exposing visitors to malicious traffic and browser injects that redirect visitors to an exploit kit.

A 20 day analysis of ElTest’s infrastructure from March 15 revealed a network of 52,000 compromised web servers that generated nearly 44 million request. Were in not for the sinkhole these requests would have led victims’ browsers to whatever payload ElTest had devised. 

The compromised servers are primarily located in the US, Europe and Australia; most of the sites were running the WordPress CMS, but there were also a significant number of compromised sites running Joomla, according to Brilliantit.      

Most of the infections were happening on computers in the US, the Ukraine and China, according to Proofpoint. 

The network of compromised sites created a wide opening to attack PCs in Australia and compromised Australian sites also could have infected tens of thousands of PCs in other countries. 

Kafieine told CSO Australia that during the analysis period, there were 169 compromised web servers in Australia, which generated 39,000 hits from browsers around the world. There were also 264,000 visits to ElTest compromised servers from browsers located in Australia.    

Most of ElTest’s malicious domains were registered with a Chinese registrar that, according to Brilliantit, is known for its liberal approach to illegal online pharmacy domain registrations. 

Abuse.ch is alerting national CERTs around the world while ShadowServer is informing network operators.