Posted on 29 May, 2018 by Administrator

A ransomware was found on the official website of EC-Council that runs Certified Ethical hacker program. After EC-Council did not reply to Fox-IT in the context of the malware injected in their site, Fox-IT decided to go public with this news, the excerpt of which can be read at the end of this blog post.

The website, the official website of EC-Council, a new Mexico-based professional organization that runs the Certified Ethical Hacker program, the nemesis of a malware was found this Monday.

Angler toolkit first appeared in late 2013. Since then, it has significantly grown in popularity in the cyber underworld. Angler toolkit evades detection by changing the variations of the various components it uses (HTML, JavaScript, Flash, Silverlight, Java and more).

On Thursday, after receiving no reply from the EC-Council and still seeing that the website was infected, Fox-IT published a blog post showing that the company had failed to respond them. Unlike other drive-by attacks, this one is very hard for the researchers to replicate. Moreover, this exploit only targets the visitors using Internet Explorer and only when they come to the site from search engines like Google, Bing, Yahoo etc. Even though these conditions are met, people from certain IP addresses from certain geographic locales are also spared.

Here is an excerpt from the Fox-IT team: Through this embedding the client is redirected a couple of times to avoid/frustrate/stop manual analysis and some automated systems. Once the user has jumped through all the redirects he/she ends up on the Angler exploit kit landing page from which the browser, flash player plugin or Silverlight plugin will be exploited. The Angler exploit kit first starts the ‘Bedep’ loader on an exploited victim machine which will download the final payload. The way the redirect occurs on the EC-COUNCIL website is through PHP code on the web server which is injecting the redirect into the web page. A vulnerability in the EC-COUNCIL website is most likely exploited as it runs the very popular WordPress CMS which has been a target through vulnerable plug-ins for years.

You can read more on here


Who make us proud
Our Clients