‘Welcome to Bulgaria’ site infected…
Our HoneyPots caught this site as being malicious: legal.bg
They also gave us the drive-by download:
git77.biz/myy/dateoiou1.exe
But I wanted to know more on how this happened…
The Bulgarian site contains obfuscated Javascript:
And a particular long piece of unicode with a lot of ‘V’s in it:
the new variable uses the “split” function to clear the ‘V’s out of the way.
Another variable is setup as a string:
Then a ‘for loop’ function will go through each single character from the long variable without the ‘V’s:
Finally the document.write method will add the final piece to the puzzle, which is an iframe, but making sure it is obfuscated. The obfuscation part is defined in the long piece of unicode as “opacity=0″ (more on that later)
So, how did we deobfuscate this?
Well, we commented out the blue code above… and used our own document.write
It basically takes the variable containing the iframe and writes it with a space between each character. That way, we can print it without it being hidden by the opacity argument. This is what it looks like, in clear text 
So what about those iframes that are 0 in width and in height? Too easy to detect… Yes, probably. This one is “in your face” (width=”480″ height=”60″) and yet totally invisible.
The final payload is an executable detected on VirusTotal as:
Thanks to Newaz Rafiq for his help on the deobfuscation part.
Jerome Segura
Malware ID: 4e1741d0a991ada20b9a788f2074f0ba.zip
Updated to add: This seems to be using the Fragus exploit kit. More info here from MalwareDomainList. (Thanks to MalwareScene)
Comments:
|
|
