Mangos and Viagra (and porn)

Filed Under: Malware, SophosLabs

Mangos and viagra? No, this is not some obscure Christmas recipe. Instead it refers to some recent activity in Web attacks we have been monitoring over the past few months.

To date, the attacks have all followed the typical pattern - a slew of compromised sites all loading content from the malicious attack site. Scripts on the attack site redirect the requests appropriately, to either infect the victim, or abuse pay per click [1] sites. The following image shows the current state of the attack:

[Current state of attack]

The attack can be broken down as follows:

  • Along the top of the diagram are a batch of compromised web sites (many are not drawn to aid clarity). These sites are all compromised (detected as Mal/ObfJS-C, Troj/Unif-B) to load content from a malicious site (highlighted in yellow).
  • Additional content from multiple sites is then silently loaded, including (bottom right hand corner - red arrow) malicious scripts (Mal/ObfJS-M) that attempt to exploit various browser vulnerabilities in order to infect the victim with a Win32 trojan.
  • The cluster of sites in the bottom left hand corner are attempt to load content from a single page. At the time of testing further redirection from this page failed, but subsequent tests reveal the loading of additional exploit scripts intended to infect the victim with other malware.

Probing some more into some of the domains used in the attack we see continued adoption for the 'mango', this time as a placeholder image at the root of one of the domains:

[Mango placeholder]

Whilst searching for further information on this domain I found something that I was not expecting:

[Zlob link]

The ActiveX error message is all too familiar now - Zlob. Sure enough, one of the redirects from this domain takes you to a movie site intended to infect victims with Zlob.

The domain used to host the exploits used in the right hand corner is also being used to peddle pills:

[Peddling pills]

Subsequently we identified a bunch of porn sites (some pretty offensive - relevant authorities informed) hosted on related domains. All useful data that we feed to the web appliance in order to protect customers.

Whether the Zlob group are behind the entire attack or are simply using the infection chain as a mechanism to hit more victims is not known. I suspect the latter. The simple fact is that nowadays, when you dig a little deeper, you frequently find links back to the same old groups.

You might like