The obfuscated JS is enclosed in “<!–2d3965–>” and “<!–/2d3965–>” tags.
De-obfuscated JS checks a cookie value to determine if the page was loaded in the browser previously. If the code is being loaded for the first time, it then creates a cookie called “visited_uq” which is set with a value of “55” for one day with a path of ‘/’. It then calls function which creates an iFrame.
The following code performs an iFrame redirection to “hxxp://ecurie80.hostzi.com/Felenne12/clik.php“
VT Report for “bmrc.co.in/careers.htm“:
URL Scan: 8/39
File Scan: 18/47
At the moment, the
redirection is no longer serving malicious code. The page ultimately resides at a free hosting service (000webhost.com) but appears to have been taken down. The page could however be revived at some point and the original vulnerability which led to the infection may still exist, so users are advised to avoid the BMRC website until this issue has been addressed. ThreatLabZ has informed BMRC about this infection.
Leave a reply