Popular Russian boxing website compromised

News by Doug Olenick

A cyber-criminal could be risking a serious beating by compromising the popular Russian boxing site allboxing[.]ru with a redirect to a third-party site containing a Russian banking Trojan.

A cyber-criminal could be risking a serious beating by compromising the popular Russian boxing site allboxing[.]ru with a redirect to a third-party site containing a Russian banking Trojan.

Forcepoint Security Labs said the site, which receives about three million visits per month, has been injected with a malicious iFrame that employs several evasion tactics to avoid being spotted by researchers. The iFrame itself contains a VBScript exploit that leverages CVE-2016-0189 and attempts to run a Powershell script on the machine.

The creators use an older technique to obfuscate their actions.

“The script ensures that sufficient user interaction has occurred from either clicking, scrolling or moving the mouse. The attacker has given different weighting scores to the different types of user interaction and will only insert the iFrame once the threshold score is above 30. This is a stealth tactic used to prevent automated analysis systems from being redirected to the exploit, “ Forcepoint researcher Nicholas Griffin wrote.

Topics:

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event 

Webcast: Understanding this year's biggest adversaries - and how to combat them 

Nation-state activity, versatile, slippery strategies and Big Game Hunting - the threats are real, dangerous and ever changing. 
Brought to you in partnership with Crowdstrike