The decrypted code creates a hidden IFRAME tag with malicious reference in it:
At the time of the infection discovery we have registered couple of malware-serving domains:
vjlnwoof.dhcp.biz: 220.127.116.11 hosted in Russian Federation
mvulhlky.tld.cc: 18.104.22.168 hosted in China
ring.t3.estrack.net: 22.214.171.124 hosted in South Korea
While writing this article our sensors reported another alert on a domain Staticyonkis.com. Their advertisement delivery is infected by the same BlackHole malware. The number of blocked intrusions from this domain reported by our clients is around 496.000 hits and the number is still increasing. The VirusTotal detection ratio of this malware is rather low 7/42.
Leave a reply