Malicious multi-hop iframe campaign affects thousands of Web sites, leads to a cocktail of client-side exploits – part two

Ever since we exposed and profiled the evasive, multi-hop, mass iframe campaign that affected thousands of Web sites in November, we continued to monitor it, believing that the cybercriminal(s) behind it, would continue operating it, basically switching to new infrastructure once the one exposed in the post got logically blacklisted, thereby undermining the impact of the campaign internationally. Not surprisingly, we were right. The campaign is not only still proliferating, but the adversaries behind it have also (logically) switched the actual hosting infrastructure. Let’s dissect the currently active malicious iframe campaign that continues to serving a cocktail of (patched) client-side exploits, to users visiting legitimate Web sites.

Sample screenshot of one of the malicious scripts:

Redirection chain: harshimadhaparia.com/libraries/domit/domit/all2.php -> roiauctionsstore.com/templates/beez/1.php -> hxxp://www3.hotzofix.kjyg.com or hxxp://www3.judtn3qyy1yv-4.4pu.com -> hxxp://www1.gtyg4h3.4pu.com/i.html -> hxxp://www1.gtyg4h3.4pu.com/nnnnvdd.html -> hxxp://www1.gtyg4h3.4pu.com/pdfx.html -> hxxp://www1.gtyg4h3.4pu.com/taftaf.html -> hxxp://www1.gtyg4h3.4pu.com/fnts.html -> find-and-go.com/?uid=10088&isRedirected=1

Domain names reconnaissance:
hxxp://www3.judtn3qyy1yv-4.4pu.com – 188.116.34.246
hxxp://www1.gtyg4h3.4pu.com – 188.116.34.246
find-and-go.com – 78.47.4.178

Known to have responded to the same IP (188.116.34.246) are also the following malicious domains:
hxxp://www1.a36p7sillle3u8.4pu.com
hxxp://www1.a8ob5zb0gl0ci3.4pu.com
hxxp://www1.azpbn5279isyhovf5.4pu.com
hxxp://www1.b-2wx8s0z64i30k2j.4pu.com
hxxp://www1.d0okhcwq9mt1lupg3.4pu.com
hxxp://www1.e6nsivn331lw8.4pu.com
hxxp://www1.evz4qr6.4pu.com
hxxp://www1.ftmfuugbx3hj13.4pu.com
hxxp://www1.g3buqxs3.4pu.com
hxxp://www1.gtyg4h3.4pu.com
hxxp://www1.h2qxs1vj3x73w0.4pu.com
hxxp://www1.hknbyl6lbm18-2.4pu.com
hxxp://www1.i-2kf6l3i.4pu.com
hxxp://www1.i-pf8jnyhg6tn43.4pu.com
hxxp://www1.iwywekgu03rpgvzw4.4pu.com
hxxp://www1.j1akhhmw3rzjdcvf.4pu.com
hxxp://www1.j5slm5tom0yr9.4pu.com
hxxp://www1.jccydfg38zi34.4pu.com
hxxp://www1.jxka0hpqxthfm2.4pu.com
hxxp://www1.k78xp1x3.4pu.com
hxxp://www1.l7f5rmwvixm01r.4pu.com
hxxp://www1.ltb8i8sy66i5.4pu.com
hxxp://www1.myf48ql3.4pu.com
hxxp://www1.n82dj5qko2qe2q.4pu.com
hxxp://www1.olf4wmrg6toj6.4pu.com
hxxp://www1.p-76pxg3d.4pu.com
hxxp://www1.pjpgqbu1.4pu.com
hxxp://www1.px0wgrpg3ox769.4pu.com
hxxp://www1.px5qhf32.4pu.com
hxxp://www1.q-3bxzjy6qh9s6gve7.4pu.com
hxxp://www1.q9ux2132yf4u29wt.4pu.com
hxxp://www1.qnilrhnnny6go9.4pu.com
hxxp://www1.s-0natmmjzkqhy7.4pu.com
hxxp://www1.sl5gn3q6g75f8.4pu.com
hxxp://www1.sus3cpv6c0if6.4pu.com
hxxp://www1.sxeyw56ov0qyxtir-5.4pu.com
hxxp://www1.szk0zxdsfy72f3.4pu.com
hxxp://www1.tbt2r99ldyrr6.4pu.com
hxxp://www1.ur8sc24ojzyjr5.4pu.com
hxxp://www1.y48939gqmhrhjw.4pu.com
hxxp://www1.y6vymtqeg345cg.4pu.com
hxxp://www1.y7odtnqghhxziqjv.4pu.com
hxxp://www1.yec2nmr3.4pu.com
hxxp://www1.zk56z207.4pu.com
hxxp://www1.ztrazr0uggov1.4pu.com
hxxp://www2.e0nn25vfmhyreuvtc.apfi.biz
hxxp://www2.nxzdez09py3jv6.apfi.biz
hxxp://www2.p8ipv5zy5iiyt4.apfi.biz
hxxp://www2.q4sji17b.apfi.biz
hxxp://www3.a8c798u76egdul.4pu.com
hxxp://www3.d4kzsrl9f9t4-3.4pu.com
hxxp://www3.flv5yvarxot5.4pu.com
hxxp://www3.g-3biuiylzma2hft.4pu.com
hxxp://www3.hotzofix.kjyg.com
hxxp://www3.j9hdbwok.4pu.com
hxxp://www3.k3dfewr00vok.4pu.com
hxxp://www3.p0k8oz7.4pu.com
hxxp://www3.q3bxxws9ispsz.4pu.com
hxxp://www3.t3rk5zajpzpm4i.4pu.com
hxxp://www3.u-6zklvj2w66448oy9.4pu.com
hxxp://www3.vxqq241.4pu.com
hxxp://www3.xkdav1z3.4pu.com

Detection rates for the malicious scripts, dropped malicious files:
MD5: fe0e411c124ae75dad81f084244098c3 – detected by 1 out of 48 antivirus scanners as Mal/FakeAvJs-A
MD5: 89821fa040ddaa7e3c0c6e250cd67818 – detected by 9 out of 48 antivirus scanners as HEUR:Exploit.PDF.Generic; Exploit:Win32/Pdfjsc.AKB
MD5: b458e58e99d9464d931086e9d9c77501 – detected by 9 out of 47 antivirus scanners as Script/PDF.Exploit; HEUR_PDFJS.STREM
MD5: 2ec944c70459c55280ece012224cfe66 – detected by 9 out of 46 antivirus scanners as Trojan.Script.Heuristic-pdf.gutwr
MD5: e892136518ab2a4ca0e76bf8973d3fc5 – detected by 9 out of 46 antivirus scanners as Exploit:Win32/Pdfjsc.AKB
MD5: b4113f99a2c68f7e051b351a846e1886 – detected by 3 out of 46 antivirus scanners as TTF:CVE-2011-3402 [Expl]; Exploit.Win32.CVE-2011-3402.a

Webroot SecureAnywhere users are proactively protected from these threats.

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.