Wednesday, March 11, 2009

Azerbaijanian Embassies in Pakistan and Hungary Serving Malware

The very latest addition to the "Compromised International Embassies Series" are the Hungarian and Pakistani embassies of the Republic of Azerbaijan, which are currently iFramed with exploits-serving domains.

Is there such a thing as a coincidence, especially when it comes to three malware embedded attacks in a week affecting Azerbaijan's USAID.gov section, and now their Pakistani (azembassy.com.pk) and Hungarian (azerembassy.hu) embassies?  Depends, and while the USAID.gov attack was exclusively orchestrated for their section, the Pakistani and Hungarian ones are part of a more widespread campaign. Theoretically, this could be a noise generation tactic. Here's a brief assessment of the attacks.

Both embassies are embedded with identical domains, parked at the same IP and redirecting to the same client-side exploits serving URL operated by Russian cybercriminals. filmlifemusicsite .cn/in.cgi?cocacola95; promixgroup .cn/in.cgi?cocacola91; betstarwager .cn/in.cgi?cocacola86 and betstarwager .cn/in.cgi?cocacola80 all respond to (78.26.179.64; 66.232.116.3) and redirect to clickcouner .cn/?t=5 (193.138.173.251)

Parked domains at 78.26.179.64; 66.232.116.3 :
denverfilmdigitalmedia .cn
litetopfindworld .cn
nanotopfind .cn
filmlifemusicsite .cn
litetoplocatesite .cn
litedownloadseek .cn
yourliteseek .cn
diettopseek .cn
bestlotron .cn
promixgroup .cn
betstarwager .cn


What prompted this sudden attention to Azerbaijanian web sites? Azerbaijan's President visit to Iran in the same week when Russian Foreign Minister Sergei Lavrov is visiting Azerbaijan? And why is the phone back domain for the malware served at the USAID.gov site phoning back to a well known Russian Business Network domain (fileuploader .cn/check/check.php) which was again active in January, 2008 and used by one of my favorite malware groups to monitor during 2007/2008 - the "New Media Malware Gang" (Part Three; Part Two and Part One)?

Food for thought.

Related posts:
Embassy of India in Spain Serving Malware
Embassy of Brazil in India Compromised
The Dutch Embassy in Moscow Serving Malware
U.S Consulate in St. Petersburg Serving Malware
Syrian Embassy in London Serving Malware
French Embassy in Libya Serving Malware

No comments:

Post a Comment