This Chinese owned website (www.smqx.gov.cn):
has been hacked (www.smqx.gov.cn/indonesia.htm):
The screen above contains a sentence in Malay (used in Malaysia, Singapore and Indonesia amongst other countries). It kind of makes sense given the URL name (indonesia.htm)
“Tidak ada seorangpun, hewan atau banci yang disakiti dalam hacking ini” roughly translates to “No one or animal was hurt in this hacking” .
Besides this defacement, we can also find Phishing pages:
MasterCard phish hosted at www.smqx.gov.cn/mastercard/ae.html:
And another one here:
It is luring users into running a file from: www.smqx.gov.cn/mastercard/mastercard_fatura.exe
VirusTotal Report (15/41).
Upon execution, the Trojan calls home to webmail.imicro.com.br (126.96.36.199), a server located in Brazil.
imicro.com.br is a Brazilian Internet Service Provider that provides wireless broadband access:
It appears as though they have been hacked themselves:
The following path hosts various pieces of malware:
cashkey.gif (VT report here)
Some of these files are downloaded by mastercard_fatura.exe (the .gif extension is a trick to hide actual executable files):
The binary is rather bulky (3.3 Mb) and appears to have been built with the autoit program.
One thing I noticed is the language the program was compiled from which could mean the malware writer is from the U.K.:
Regardless, it might be time for some folks to patch up those breaches and clean things up before the bad guy behind this makes himself too much money.
Leave a reply