On most days, our WorldMap shows more of the same thing. Today is an exception.
Image may be NSFW.
Clik here to view.
One infection is topping so high in the charts that it pretty much captured our attention.
Checking the recent history of this threat, we saw that these past few days, it has been increasing in infection hits.
Image may be NSFW.
Clik here to view.
So we dug deeper It wasn't long before we saw that a lot of scripts hosted in various websites got compromised. Our telemetry actually showed that almost 40% of the infected websites were hosted in Germany. In those sites, malicious code has been appended to the scripts which could look as simple and short as this:
Image may be NSFW.
Clik here to view.
Or a bit longer to include the use of cookies, such as this:
Image may be NSFW.
Clik here to view.
Successful redirection leads to a fake flash download site that look similar to these pages:
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
The user would have to manually click on the Download Now link before a file called flashplayer.exe could be downloaded from a certain SkyDrive account.
When the malicious flashplayer.exe is executed, this message is displayed to the user.
Image may be NSFW.
Clik here to view.
While in the background, it is once again connecting to the same SkyDrive account in order to download another malware.
Image may be NSFW.
Clik here to view.
Initial analysis showed that the sample is connecting to these locations.
Image may be NSFW.
Clik here to view.
SHA1 Hashes:
804d61d9d363d2ad412272043744701096e4b7f8
b9af02020389459d01911c7c4f4853bf3b5eafe4
—————
Post by — Karmina and Christine
Image may be NSFW.
Clik here to view.
One infection is topping so high in the charts that it pretty much captured our attention.
Checking the recent history of this threat, we saw that these past few days, it has been increasing in infection hits.
Image may be NSFW.
Clik here to view.
So we dug deeper It wasn't long before we saw that a lot of scripts hosted in various websites got compromised. Our telemetry actually showed that almost 40% of the infected websites were hosted in Germany. In those sites, malicious code has been appended to the scripts which could look as simple and short as this:
Image may be NSFW.
Clik here to view.
Or a bit longer to include the use of cookies, such as this:
Image may be NSFW.
Clik here to view.
Successful redirection leads to a fake flash download site that look similar to these pages:
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
The user would have to manually click on the Download Now link before a file called flashplayer.exe could be downloaded from a certain SkyDrive account.
When the malicious flashplayer.exe is executed, this message is displayed to the user.
Image may be NSFW.
Clik here to view.
While in the background, it is once again connecting to the same SkyDrive account in order to download another malware.
Image may be NSFW.
Clik here to view.
Initial analysis showed that the sample is connecting to these locations.
Image may be NSFW.
Clik here to view.
SHA1 Hashes:
804d61d9d363d2ad412272043744701096e4b7f8
b9af02020389459d01911c7c4f4853bf3b5eafe4
—————
Post by — Karmina and Christine
On 15/01/14 At 07:40 PM