I was about to contact the owners of ‘water for people’ but something stopped me in my tracks:
The site I was looking at (c0re.us) was spoofing content from www.waterforpeople.org
With the one difference that hackers included a drive-by download:
Among other things, this code snippet triggers a Java drive-by (coldhardcash4us.com/images/modules/helpers/JavaSignedApplet.jar):
The ultimate payload comes from a file hosted on that server called bot.exe:
Both malicious domains are hosted on the same server (18.104.22.168) and ASN (51430) belonging to ALTUSHOST.
Altushost is a crime-friendly hosting provider located in Belize.
Leave a reply