[German]An immediate warning: It seems that cyber criminals has obtained an old (orphaned) Amazon AWS S3 bucked used some times ago to host a Cookie Consent solution. Now the Cookie Consent logo delivered from the Amazon CDN contains a malware/ransomware script. It seems, that thousands of website, using old code, are shipping now this malicious content. Probably it's a ransomware attack. Here is what I've found out so far.
Advertising
First of all, I would like to point out that it does not affect the cookie content ads of my blogs. I use a different plugin, but prepare the whole thing with my previous knowledge.
The GDPR Cookie consent
Since Mai 25, 2018, websites that are business related in the European Union (EU) had to be compliant with the EU General Data Protection Regulation (GDPR). One requirement is a user content to using cookies. This lead to cookie consent solutions on million of websites.
A reader's warning
I just received an e-mail from German blog reader Stefan A., who noticed something strange in the company environment he is in charge of. Stefan wrote:
I came across this morning (in the company I work for) that within an hour 3 users have triggered a virus warning. After a closer inspection I noticed that all three visited sites (e.g. bwl – wissen net / schulferien org) use Cookie Consent on their site, which tries to load a .PNG from the Amazon Cloud.
But this PNG is actually a JScript (was recognized as JS/Downloader), which wants to download a *.exe from the domain soft2webextrain com after my first research. Now I noticed that the PNG was replaced at 03:42 p.m. (EST) against a new one, which is now recognized as ransomware.
Since the JScript was actively replaced here during the day, I assume that the Cookie Consent malicious code is currently being distributed over a large number of pages.
At this point my thanks to Stefan for the hint. To me, the whole thing looks like an action, which is supposed to distribute ransomware widely.
These approaches have been used before
During my quick research I came across the fact that security researchers had already warned of such an attack in August 2018 in the article Cookie Consent Script Used to Distribute Malware. There, a script told the user that his computer was infected and tried to foist Malware on him if he fell for it. A security team also describes such an approach on this website.
Advertising
Further information about the Cookie Content Logo …
Stefan pointed me to an entry on GitHub, that has been published a few hours, and that is naming the same URL and mentioning malware distribution. During writing this blog post, the entry has been deleted.
Addendum: The GitHub entry *https://github.com/osano/cookieconsent/issues/714 was deleted without comment while I was writing the English language blog post. Unfortunately I did not document anything by screenshot. A short sample showed me that the infected logo is still delivered via the URL described in the post.
Note: I know now, why the post (mentioned above) has been deleted on the Osano Git. It has nothing to do with the Osano product.
The now deleted GitHub entry names (falsely) the Osano Cookie Content solution. Osano provides a Osano Consent Manager as an open source solution and also as a Osano Hosted Edition. But both solutions seem to be hosted by Osano – the open source variant now includes a jsdelivr.net CDN to deliver the code.
Within the deleted GitHub entry someone wrote, that they just noticed that on two of their websites the logo for the Cookie Content solution refers to the old URL https*://s3-eu-west-1.amazonaws.com/assets.cookieconsent.silktide.com/cookie-consent-logo.png. The .png file containing the logo (for cookie consent) is infected with malware and thousands of websites that have not updated their code are likely to distribute this malware.
A brief explanation: If I have understood it correctly, users of the open source silktide.com solution have to copy code into their websites to include the Silktide Content Manager. I now suspect that the SilkTide code was previously hosted at Amazon AWS and distributed over their CDN. Then the CDN was changed and an attacker could take over the old Amazon AWS presence. There is this post on GitHub where someone wrote 3 months ago that they wrote everything from scratch and asked to distribute it quickly. However, I may be wrong in my interpretation.
Addendum 2: The founder of Osano have contacted me by mail in the meantime. Their solution never used the Amazon AWS S3 buckets to deliver the code. I know now some background – a blog post with additional details will be linked at the end of the article as soon as it is online.
The author of the now deleted GitHub post wrote 'If you still have access to this URL from the Amazon CDN, you should delete the .png file as soon as possible'. However, I'm not sure if the people who set up the AWS CDN solution even noticed that and still have access. If you are using the cookie content-solution on a webseit, you should check the code, whether is uses the above AWS CDN-URL, and modify the code.
A short test on my part
I then ran a short test and typed the link to the infected Amazon AWS CDN-URL (see above) in the browser to download the content.
According to the above dialog box, I am trying to download a .png file (at least the file name suggests it) from Amazon AWS CDS and save it as a file. The URL of the CDN suggests that content is delivered for Western Europe.
But that didn't work, because the Microsoft Security Essentials that came with me immediately sounded the alarm and eliminated the identified threat.
In the course of this process, the ransomware MSIL/WannaPeace.A is displayed as quarantined. Microsoft has published some brief information on this website. According to this, all Microsoft security products detect this malware.
Note: I wrote the German edition of this blog post, and 15 minutes later this English version. Suddenly the GitHub entry mentioned above, has been deleted. I then run the download test again, the malicious .png logo file with the ransomware script will still be delivered.
Addendum: Lawrence Abrams from Bleeping Computer just point me to Virus Total. It was the parent in January 2020 and it's targeting Portugal.
Additional information on the affected software and further background information will be available soon in a separate article.
Article series
Warning: Infected Cookie Consent logo delivers Ransomware
Compromised SilkTide Cookie-Consent Logo – Part 2
Compromised SilkTide Cookie-Consent Logo – Part 3
Pingback: The Week in Ransomware – May 22nd 2020 – Constantly Innovating – Bleeping Computer
Pingback: Updates 2020-06-03 - SaferPCSaferPC