This current attack provides a classic example of some of the techniques that the rogue AV criminals are using.
- SEO techniques. The attackers appear to have exploited a content management system (CMS) being used on the embassy site, in order to upload numerous keyword-stuffed pages (typically called “doorway” or SEO pages). Users searching for popular terms may end up clicking through to one of these pages, starting the infection process.
- Fake AV payload. The redirection script checks the referrer before redirecting the user to the appropriate payload.
Digging deeper on the embassy site it is not surprising they have been hit. The version of the CuteNews CMS application they are using is out of date (v1.4.6 appears to the latest version).
Attackers exploiting CMS applications in order to hit/deface sites is something we have discussed before , and I won’t repeat the important security implications that must be considered when using them here.
Fortunately for Sophos users, the redirection script loaded in the SEO pages is pro-actively blocked as Mal/ObfJS-X.
The second redirection script that this would load is responsible for redirecting the user to the payload (assuming they came via a search engine). Interestingly, this script also checks the OS, choosing to redirect Linux/Max users to a different site.
- Mac/Linux: user is redirected to suspicious looking movie download site. (There was no apparent malware on the site at the time of writing.)
- Windows: user is redirected to the fake AV site, where they get the usual fake system scan and warning messages.
Detection for the actual fake AV malware installed from this site has been added as Troj/FakeAV-AEA.
I have contacted the admins for the site in question so they can clean up, and secure their site against future attacks.