Sharing is caring. In this post, I’ll put the spotlight on a currently circulating, massive — thousands of sites affected — malicious iframe campaign, that attempts to drop malicious software on the hosts of unaware Web site visitors through a cocktail of client-side exploits. The campaign, featuring a variety of evasive tactics making it harder to analyze, continues to efficiently pop up on thousands of legitimate Web sites. Ultimately hijacking the legitimate traffic hitting them and successfully undermining the confidentiality and integrity of the affected users’ hosts.
Sample redirection chains:
hxxp://www.cibonline.org/cache/mod_poll/7c7478fde2f89a23.php -> hxxp://www.haphuongfoundation.net/vietnam/language/pdf_fonts/www/all2.php -> hxxp://www.profili-benton.si/templates/beez/1.php -> hxxp://www3.omq97dncl0enuzc91.4pu.com -> hxxp://find-and-go.com/?uid=11245&isRedirected=1 -> hxxp://5.199.169.39/piwik/piwik.php?idsite=6
hxxp://www.cibonline.org/cache/mod_poll/7c7478fde2f89a23.php -> hxxp://www.haphuongfoundation.net/vietnam/language/pdf_fonts/www/all2.php -> hxxp://www.profili-benton.si/templates/beez/1.php -> hxxp://www3.omq97dncl0enuzc91.4pu.com (95.141.42.88) -> hxxp://www1.vjq1b9261b4d0.4pu.com/i.html (66.199.250.147) -> hxxp://www1.vjq1b9261b4d0.4pu.com/nnnnvdd.html -> hxxp://www1.vjq1b9261b4d0.4pu.com/pdfx.html -> hxxp://www1.vjq1b9261b4d0.4pu.com/qopne.html -> hxxp://www1.vjq1b9261b4d0.4pu.com/fnts.html
hxxp://www.cibonline.org/cache/mod_poll/7c7478fde2f89a23.php -> hxxp://www.haphuongfoundation.net/vietnam/language/pdf_fonts/www/all2.php -> hxxp://www.profili-benton.si/templates/beez/1.php -> hxxp://www3.omq97dncl0enuzc91.4pu.com (109.201.135.20) -> hxxp://www1.u7dtn91y8y09.4pu.com/i.html -> hxxp://www1.u7dtn91y8y09.4pu.com/iexp.html -> hxxp://www1.u7dtn91y8y09.4pu.com/jmnyhsr.html
hxxp://www.cibonline.org/cache/mod_poll/7c7478fde2f89a23.php -> hxxp://www.haphuongfoundation.net/vietnam/language/pdf_fonts/www/all2.php -> hxxp://profili-benton.si/templates/beez/1.php -> hxxp://www3.e96s0ttcl.4pu.com (109.201.135.20) -> hxxp://www1.thh3ssp6.4pu.com/i.html -> hxxp://www1.thh3ssp6.4pu.com/nnnnvdd.html -> hxxp://www1.thh3ssp6.4pu.com/pdfx.html -> hxxp://www1.thh3ssp6.4pu.com/qopne.html -> hxxp://www1.thh3ssp6.4pu.com/0a8aqgdg7qedig.swf
Sample detection rate for the served client-side exploits:
MD5: 3b141482d57aa716c8686b388fcbc8f3 – detected by 5 out of 47 antivirus scanners as Exploit:Win32/Pdfjsc.AKB
MD5: 4d52aa24c91b2f9b757ab81118f56447 – detected by 5 out of 47 antivirus scanners as Exploit.Win32.CVE-2011-3402.a
MD5: cee8493b53394a2b58228b829f2af25e – detected by 5 out of 47 antivirus scanners as Exploit:Win32/Pdfjsc.AKB
MD5: 1b61c150176f0ab076f8befb46cfc3ce – detected by 4 out of 47 antivirus scanners as Exploit:SWF/Salama.F
Responding to (66.199.250.147) are also the following malicious domain, part of the campaing’s infrastructure:
hxxp://www1.2fmjnfw8yl.4pu.com
hxxp://www1.b245489okr8x5j2ao.4pu.com
hxxp://www1.c5laimisz83pc4.4pu.com
hxxp://www1.cg86g6670v8866.4pu.com
hxxp://www1.d23v9rkj.4pu.com
hxxp://www1.e0ypzxcl2g.4pu.com
hxxp://www1.e0zz7py279t37.4pu.com
hxxp://www1.e3upj5djor1ff8.4pu.com
hxxp://www1.eoyuwo33xk08zk6a6.4pu.com
hxxp://www1.g3qovry5o502d1g8.4pu.com
hxxp://www1.h3x48xalmvan55.4pu.com
hxxp://www1.j-9x9quv8lrdqicyf4.4pu.com
hxxp://www1.j9jw1i0or74893.4pu.com
hxxp://www1.js9fow2qc23vir9m-2.4pu.com
hxxp://www1.k3s7v5h96w4m9rm17.4pu.com
hxxp://www1.k5t56to8.4pu.com
hxxp://www1.kjrca9kozgygi2.4pu.com
hxxp://www1.lr615xyv4ne4ev2s2.4pu.com
hxxp://www1.m-t439plolgh9rg3x8.4pu.com
hxxp://www1.mwqfes56.4pu.com
Responding to (109.201.135.20) are also the following malicious domain, part of the campaing’s infrastructure:
10qaswedrfgthsfh47.4pu.com
2fmjnfw8yl.4pu.com
4gpf37.4pu.com
24r23rfe23.4pu.com
54y5h56yh.4pu.com
6qaswedrfgthsfh46.4pu.com
789568gh48fjh34.4pu.com
8m5w180sfs.4pu.com
98ol8loldd.4pu.com
a-1lj8fexbrqilv.lflink.com
a199ozb9gpvairco9.4pu.com
a6fe5t76kp7xzc5t.lflink.com
a8eb8spt8sp02.lflink.com
aaagxmid11pp-7.4pu.com
ae8w0olox4.4pu.com
ao83szty36u9x-9.lflink.com
auh40nk2.4pu.com
b-8720elxb.4pu.com
b-8qkw4qs.lflink.com
b-9s7rtwq9j.4pu.com
Webroot SecureAnywhere users are proactively protected from these threats.
