Mass iframe injection campaign leads to Adobe Flash exploits


We’ve intercepted an ongoing malicious campaign, relying on injected/embedded iFrames at Web sites acting as intermediaries for a successful client-side exploits to take place. Let’s dissect the campaign, expose the malicious domains portfolio/infrastructure it relies on, as well as directly connect it with historical malicious activity, in this particular case, a social engineering campaign pushing fake browser updates.

Sample screenshot of the script identifying the client’s Flash Player version:


iFrame URL: –

Known to have responsed to the same IP ( are also the following malicious domains: – Email:

Sample detection rate for the malicious script: MD5: efcaac14b8eea9b3c42deffb42d59ac5 – detected by 30 out of 43 antivirus scanners as; Trojan:JS/Iframe.BS

The following malicious MD5s are also known to have been hosted on the same IP ( 7b3d9e48deac8d0b33f6fc4235361cbd 7b3d9e48deac8d0b33f6fc4235361cbd 7b3d9e48deac8d0b33f6fc4235361cbd ed5c71023a505bd82f5709bfb262e701 2e899f619c9582e79621912524a0bafb

Client-side exploits serving URL: –

Domain name reconnaissance: - known to have responded to the same IP is also

Detection rates for the dropped PDF exploits:
MD5: 77cd239509c0c5ca6f52c38a23b505f3 – detected by 3 out of 48 antivirus scanners as Heuristic.BehavesLike.PDF.Exploit-CRT.F; HEUR_PDFJS.STREM
MD5: 131e53c40efddfc58f5ac78c7854bc73 – detected by 3 out of 48 antivirus scanners as Exploit.Script.Heuristic-pdf.gutws; Heuristic.BehavesLike.PDF.Exploit-CRT.F

Both malicious PDF files exploit CVE-2010-0188 which also phone back to :

It gets even more interesting, taking into consideration the fact that the iFrame injected/embedded URL includes a secondary iFrame pointing to a, surprise, surprise, Traffic Exchange network. Not surprisingly, we also identified a related threat that is currently using the same infrastructure as the official Web site of the Traffic Exchange.


Secondary iFrame: –

Known to have responded to the same IP in the past are also the following malicious domains:

Which inevitably leads us to 961dba6cf73d24181634321e90323577 – detected by 13 out of 48 antivirus scanners as TROJ_GEN.R0CBOH0I713; Artemis!961DBA6CF73D.

Once executed, it phones back to – –

The following MD5s are also known to have phoned back to the same IP in the past:
MD5: c4fb386b785e8c337e378d2c318c18c7
MD5: db872312b12f089cc525068b8c67baaf
MD5: 5457197c011263db0820fc6b6788b45c
MD5: 217745fadde1d42cc31ba20b4eb601d3
MD5: ba11bb7704cc36ad55b22c00080b6d39
MD5: 70d821fa0b6bdf30221cce9e3ad40727
MD5: 12d1436481c6a19c05a12578249683b2

Moreover, is also directly related to, as it used to push fake browser updates, similar to the MD5s at and

Webroot SecureAnywhere users are proactively protected from these threats.