As of 11:05PM (GMT-4:00) of August 25, six months after the said blog is published, GFI Senior Exploit Analyst Francesco Benedini is alerted about KVGB still housing obfuscated JS code. Below is the screenshot of the code found on the site:
After deobfuscation, Benedini has determined that the supposedly malicious domain is inactive, thus, poses no threat to bank site visitors. The script, however, is working. We detect the malicious code as Trojan-Downloader.JS.Twettir.a (v), and VirusTotal shows a 24/43 detection ratio across all AV companies.
Our experts have also pointed out that the attack is related to the MBR rootkit (Trojan-Spy.Madlo) we generally know as Sinowal / Mebroot. This is because (1) the obfuscation technique used in this attack is reminiscent of the technique used by Sinowal, and (2) the structure of the inactive URL follows the one seen in Sinowal infection campaigns.
GFI is currently attempting to reach KVGB in order to help them clean up their website.
Jovi Umawing (Thanks to Adam Thomas for additional information)
Leave a reply