While analyzing the URLs of malicious redirectors our product had detected, a Flash object hosted on .gov.br domain caught my eye. Since my Portuguese is a little rusty, I turned to a colleague in our office in Brazil, and she confirmed that the domain belongs to the city of Franca in S�o Paulo, Brazil.
One of the JavaScript files on the website has been appended with malicious code that loads the Flash redirector. Here is a snippet of the Fiddler session:
The request highlighted in yellow loads the malicious Flash object which injects an iframe that redirects the browser to another domain (blurred in the screenshot).
It seems that the website was compromised by exploiting the outdated version 1.5 of open-source content management system Joomla. Most likely this is not the only .gov.br website running the unpatched version: Senior Security Researcher Fabio Assolini pointed out in his tweet that incidents on .gov.br domain are very common.
We have contacted the Computer Security and Incident Response Team - CTIR Gov about the incident.
F-Secure detects the malicious Flash object (SHA1:b0c68dbd6f173abf6c141b45dc8c01d42f492a20) as Trojan:SWF/Redirector.EQ. In addition, our Browsing Protection component blocks access to the compromised URLs until the website has been cleaned.
