Sharing is caring. In this post, I’ll put the spotlight on a currently circulating, massive — thousands of sites affected — malicious iframe campaign, that attempts to drop malicious software on the hosts of unaware Web site visitors through a cocktail of client-side exploits. The campaign, featuring a variety of evasive tactics making it harder to analyze, continues to efficiently pop up on thousands of legitimate Web sites. Ultimately hijacking the legitimate traffic hitting them and  successfully undermining the confidentiality and integrity of the affected users’ hosts.

Muti-Hop_Mass_iframe_Exploits_Cybercrime

Sample redirection chains:
hxxp://www.cibonline.org/cache/mod_poll/7c7478fde2f89a23.php -> hxxp://www.haphuongfoundation.net/vietnam/language/pdf_fonts/www/all2.php -> hxxp://www.profili-benton.si/templates/beez/1.php -> hxxp://www3.omq97dncl0enuzc91.4pu.com -> hxxp://find-and-go.com/?uid=11245&isRedirected=1 -> hxxp://5.199.169.39/piwik/piwik.php?idsite=6

hxxp://www.cibonline.org/cache/mod_poll/7c7478fde2f89a23.php -> hxxp://www.haphuongfoundation.net/vietnam/language/pdf_fonts/www/all2.php -> hxxp://www.profili-benton.si/templates/beez/1.php -> hxxp://www3.omq97dncl0enuzc91.4pu.com (95.141.42.88) -> hxxp://www1.vjq1b9261b4d0.4pu.com/i.html (66.199.250.147) -> hxxp://www1.vjq1b9261b4d0.4pu.com/nnnnvdd.html -> hxxp://www1.vjq1b9261b4d0.4pu.com/pdfx.html -> hxxp://www1.vjq1b9261b4d0.4pu.com/qopne.html -> hxxp://www1.vjq1b9261b4d0.4pu.com/fnts.html

hxxp://www.cibonline.org/cache/mod_poll/7c7478fde2f89a23.php -> hxxp://www.haphuongfoundation.net/vietnam/language/pdf_fonts/www/all2.php -> hxxp://www.profili-benton.si/templates/beez/1.php -> hxxp://www3.omq97dncl0enuzc91.4pu.com (109.201.135.20) -> hxxp://www1.u7dtn91y8y09.4pu.com/i.html -> hxxp://www1.u7dtn91y8y09.4pu.com/iexp.html -> hxxp://www1.u7dtn91y8y09.4pu.com/jmnyhsr.html

hxxp://www.cibonline.org/cache/mod_poll/7c7478fde2f89a23.php -> hxxp://www.haphuongfoundation.net/vietnam/language/pdf_fonts/www/all2.php -> hxxp://profili-benton.si/templates/beez/1.php -> hxxp://www3.e96s0ttcl.4pu.com (109.201.135.20) -> hxxp://www1.thh3ssp6.4pu.com/i.html -> hxxp://www1.thh3ssp6.4pu.com/nnnnvdd.html -> hxxp://www1.thh3ssp6.4pu.com/pdfx.html -> hxxp://www1.thh3ssp6.4pu.com/qopne.html -> hxxp://www1.thh3ssp6.4pu.com/0a8aqgdg7qedig.swf

Sample detection rate for the served client-side exploits:
MD5: 3b141482d57aa716c8686b388fcbc8f3 – detected by 5 out of 47 antivirus scanners as Exploit:Win32/Pdfjsc.AKB
MD5: 4d52aa24c91b2f9b757ab81118f56447 – detected by 5 out of 47 antivirus scanners as Exploit.Win32.CVE-2011-3402.a
MD5: cee8493b53394a2b58228b829f2af25e – detected by 5 out of 47 antivirus scanners as Exploit:Win32/Pdfjsc.AKB
MD5: 1b61c150176f0ab076f8befb46cfc3ce – detected by 4 out of 47 antivirus scanners as Exploit:SWF/Salama.F

Responding to (66.199.250.147) are also the following malicious domain, part of the campaing’s infrastructure:
hxxp://www1.2fmjnfw8yl.4pu.com
hxxp://www1.b245489okr8x5j2ao.4pu.com
hxxp://www1.c5laimisz83pc4.4pu.com
hxxp://www1.cg86g6670v8866.4pu.com
hxxp://www1.d23v9rkj.4pu.com
hxxp://www1.e0ypzxcl2g.4pu.com
hxxp://www1.e0zz7py279t37.4pu.com
hxxp://www1.e3upj5djor1ff8.4pu.com
hxxp://www1.eoyuwo33xk08zk6a6.4pu.com
hxxp://www1.g3qovry5o502d1g8.4pu.com
hxxp://www1.h3x48xalmvan55.4pu.com
hxxp://www1.j-9x9quv8lrdqicyf4.4pu.com
hxxp://www1.j9jw1i0or74893.4pu.com
hxxp://www1.js9fow2qc23vir9m-2.4pu.com
hxxp://www1.k3s7v5h96w4m9rm17.4pu.com
hxxp://www1.k5t56to8.4pu.com
hxxp://www1.kjrca9kozgygi2.4pu.com
hxxp://www1.lr615xyv4ne4ev2s2.4pu.com
hxxp://www1.m-t439plolgh9rg3x8.4pu.com
hxxp://www1.mwqfes56.4pu.com

Responding to (109.201.135.20) are also the following malicious domain, part of the campaing’s infrastructure:
10qaswedrfgthsfh47.4pu.com
2fmjnfw8yl.4pu.com
4gpf37.4pu.com
24r23rfe23.4pu.com
54y5h56yh.4pu.com
6qaswedrfgthsfh46.4pu.com
789568gh48fjh34.4pu.com
8m5w180sfs.4pu.com
98ol8loldd.4pu.com
a-1lj8fexbrqilv.lflink.com
a199ozb9gpvairco9.4pu.com
a6fe5t76kp7xzc5t.lflink.com
a8eb8spt8sp02.lflink.com
aaagxmid11pp-7.4pu.com
ae8w0olox4.4pu.com
ao83szty36u9x-9.lflink.com
auh40nk2.4pu.com
b-8720elxb.4pu.com
b-8qkw4qs.lflink.com
b-9s7rtwq9j.4pu.com

Webroot SecureAnywhere users are proactively protected from these threats.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This