The Latest in IT Security

Hacked Chinese ‘.gov’ site leads to Phishing and Banking Trojan

13
May
2011

This Chinese owned website (www.smqx.gov.cn):

has been hacked (www.smqx.gov.cn/indonesia.htm):

The screen above contains a sentence in Malay (used in Malaysia, Singapore and Indonesia amongst other countries). It kind of makes sense given the URL name (indonesia.htm)

Tidak ada seorangpun, hewan atau banci yang disakiti dalam hacking ini” roughly translates to “No one or animal was hurt in this hacking” .

Besides this defacement, we can also find Phishing pages:

MasterCard phish hosted at www.smqx.gov.cn/mastercard/ae.html:

And another one here:

It is luring users into running a file from: www.smqx.gov.cn/mastercard/mastercard_fatura.exe

VirusTotal Report (15/41).

Upon execution, the Trojan calls home to webmail.imicro.com.br (200.243.56.220), a server located in Brazil.

imicro.com.br is a Brazilian Internet Service Provider that provides wireless broadband access:

It appears as though they have been hacked themselves:

The following path hosts various pieces of malware:

webmail.imicro.com.br/SQL/

cashkey.gif (VT report here)

case1.gif (VT report here)
case2.gif (VT report here)
case3.gif (VT report here)

etc.

Some of these files are downloaded by mastercard_fatura.exe (the .gif extension is a trick to hide actual executable files):

The binary is rather bulky (3.3 Mb) and appears to have been built with the autoit program.

One thing I noticed is the language the program was compiled from which could mean the malware writer is from the U.K.:

Regardless, it might be time for some folks to patch up those breaches and clean things up before the bad guy behind this makes himself too much money.

Jerome Segura

Leave a reply


Categories

FRIDAY, NOVEMBER 24, 2017

Featured

Archives

Latest Comments

Social Networks