Only an amateur or unethical competition would embedd
malicious links at the Embassy of Brazil in India's site, referencing their online community. With the chances of
an Embassy involvement into the fake antivirus software industry close to zero, let's assess the attack that took place.
The compromise is a great example of a mixed use of pure malicious domains in a combination with compromised legitimate ones and on purposely registered accounts at free web space providers, hosting the blackhat SEO content. However, digging deeper we expose the entire malicious doorways ecosystem pushing PDF exploits, banker malware and Zlob variants. The malicious attackers embedded links to their blackhat SEO farms advertising fake security software, and also a link to a traffic redirection doorway
epmwckme.dex1.comhtkobaf.dex1.comogbucof.dex1.comsegundomuelle.com/mex/antivirusjgzleaa.dex1.comigpran.ru/services/tolstye
The active and redirecting
traff .asia (89.149.251.203) is currently serving a fake account suspended notice - "
This account has been suspended. Either the domain has been overused, or the reseller ran out of resources." but is whatsoever redirecting us to
antimalware09 .net. This particular traffic redirection doorway is actively redirecting us to a command and control server running a well known web malware exploitation kit which is currently serving PDF exploits.
google-analyze .com/socket/index.php (216.195.59.77) from where we're redirected to
google-analyze.com/tracker/load.php which is serving system.exe (Trojan-Spy.Win32.Zbot.ehk; Win32.TrojanSpy.Zbot.gen!C.5), and
google-analyze .com/tracker/pdf.php (Exploit:Win32/Pdfjsc.G; Exploit.JS.Pdfka.w; Bloodhound.Exploit.196). Naturally, within the live exploit URLs there are multiple IFRAMEs redirecting us to more of this group's campaigns.
google-analyze .com has multiple IFRAMEs pointing to
google-analystic .net (209.160.67.56), yet another traffic redirection doorway further exposing their campaigns.
For instance,
google-analystic .net/in.cgi?20 loads
google-analystic.net/tea.php (209.160.67.56) where
google-analystic .net/in.cgi?8 is redirecting to
91.203.93.61 /in.cgi?2 taking us to
91.203.93.61 /25/2/ where we deobfuscate the javascript leading us to the exact location of the PDF exploit -
91.203.93.61 /25/2/getfile.php?f=pdf. This is just for starters.
google-analystic .net/in.cgi?9 redirects to
mangust32 .cn/pod/index.php (218.93.202.102) where they serve load.exe (Backdoor:Win32/Koceg.gen!A) at
mangust32 .cn/pod2/load.php and load.exe at
mangust32 .cn/eto2/load.php, moreover,
google-analystic .net/in.cgi?10 leads us to
mmcounter .com/in.cgi?id194 (94.102.50.130) a traffic management login which is no longer responding. The last IFRAME found within google-analystic points to
busyhere .ru/in.cgi?pipka (91.203.93.16) which redirects to
beshragos .com/work/index.php (79.135.187.38) where once we deobfuscate the script, we get to see the PDF exploit location
beshragos.com /work/getfile.php?f=pdf.
What's contributing to the increase of PDF exploits durin the last month? It's an updated version of a web based malware exploitation tool, which despite the fact that it remains proprietary for the time being, will leak in the next couple of weeks causing the usual short-lived epidemic.
Related posts:The Dutch Embassy in Moscow Serving MalwareU.S Consulate in St. Petersburg Serving MalwareSyrian Embassy in London Serving MalwareFrench Embassy in Libya Serving Malware
When you get the "privilege" of getting DDoS-ed by a high profile DDoS for hire service used primarily by cybercriminals attacking other cybercriminals, you're officially doing hell of a good job exposing money laundering scams.
