Last week, we got a tip from Kafeine about hacked sites serving injected iframes leading to an exploit kit. We thought it was quite interesting so we looked at one of the infected websites and found this sneaky piece of code:
The deobfuscated code shows the location from where the injected iframe URL will be gathered from, as well as the use of cookie to allow the redirection. It also shows that it only targets to infect those browsing from IE, Opera and Firefox.
And now for some good old snippet from the source site and infected site:
When an infected website successfully redirects, the user will end up with a Neutrino exploit kit that is serving some Java exploit:
We haven't fully analyzed the trojan payload yet, but initial checks showed that it makes HTTP posts to this IP:
Early this week, when it probably was not in full effect yet, the injected URLs were leading to google.com. However, it went in full operation starting yesterday evening when it began redirecting to Neutrino to serve Java exploits.
Based on that timeline, we plotted the location of all the IP addresses that visited the infected sites to a map. These IPs are potential victims of this threat. There were approximately 80,000 IPs.
We also plotted the location of the infected websites and so far, there were around 20,000+ domains affected by this threat. The infected sites appear to be using either WordPress or Joomla CMS.
You can also find other information about this threat in Kafeine's blog post.
Samples related to this post are detected as Trojan:HTML/SORedir.A, Exploit:Java/Majava.A, and Trojan:W32/Agent.DUOH.