Dutch users were recently targeted in a website compromise that involved a popular news site in the Netherlands, nu.nl. The site was compromised and modified to load a malicious iframe that resulted to visitors’ systems being infected with a SINOWAL variant.
Trend Micro researcher Feike Hacquebord says that considering the different characteristics of this attack, it seems like it was specifically designed to affect Dutch users. Aside from the affected site being one of the most popular sites in their country, the scripts inserted in the website were activated right before lunch time in the Netherlands – a time when Dutch users usually utilize to check the news and other sites while in the office.
According to nu.nl’s released statement, they believe that attackers exploited a vulnerability on the news group’s Content Management Systems (CMS), allowing them to insert 2 scripts – g.js and gs.js – in nu.nl’s subdomain.
Investigation reveals that the scripts, detected by Trend Micro as JS_IFRAME.HBA, are highly-obfuscated scripts that when executed lead users to yet another script, specifically one that loads various exploits.
This exploit kit, detected as JS_BLACOLE.HBA, was found to be the Nuclear Pack exploit kit. Upon execution, it checks the affected system for any vulnerable software, and then downloads any applicable exploit that can run successfully.
- Adobe Reader versions in between 8 and 9.3
- Java versions in between 5 and 6 and between 5.0.23 and 6.0.27
Aside from the software above, Nuclear Pack Exploit Kit is also capable of exploiting vulnerabilities in Windows components like Microsoft Data Access Components (MDAC), Help and Support Center (HCP), and Microsoft Office Web Components (OWC) Spreadsheet.
A successful exploit will then lead to the download of the downloader TROJ_SMOKE.JH, which then downloads the SINOWAL variant, TROJ_SINOWAL.SMF. At the time of the infection, Trend Micro already detected this SINOWAL variant.
TROJ_SINOWAL.SMF collects information about the affected system such as:
- System’s hard disk serial number
- Running processes
- Software registered in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall registry key
TROJ_SINOWAL.SMF is also said to download another component that is capable of infecting the MBR of an affected machine.
Data gathered from the Trend MicroT Smart Protection NetworkT reveals that most of the users who attempted to access the URL used by JS_BLACOLE.HBA when the site was loading malicious files were indeed from the Netherlands:
Hat tip to security evangelist Ivan Macalintal for additional insights and analysis.
Leave a reply