Another embassy site hit in fake anti-virus attack

Earlier on today I noticed that the web site for one of the embassies in Paris has been hit by malware. This continues the ‘YAE’ (yet another embassy) series we introduced in previous blogs [2,3].

This current attack provides a classic example of some of the techniques that the rogue AV criminals are using.

  1. SEO techniques. The attackers appear to have exploited a content management system (CMS) being used on the embassy site, in order to upload numerous keyword-stuffed pages (typically called “doorway” or SEO pages). Users searching for popular terms may end up clicking through to one of these pages, starting the infection process.
  2. Traffic redirection. The SEO pages load a malicious JavaScript that has also been uploaded to the embassy site. This in turn loads another script, this time from a remote server. This second script is responsible for redirection of the user to the relevant payload. Checking the referrer, the script redirects the user if they have come via a search engine.
  3. Fake AV payload. The redirection script checks the referrer before redirecting the user to the appropriate payload.

Digging deeper on the embassy site it is not surprising they have been hit. The version of the CuteNews CMS application they are using is out of date (v1.4.6 appears to the latest version).

Attackers exploiting CMS applications in order to hit/deface sites is something we have discussed before [4], and I won’t repeat the important security implications that must be considered when using them here.

Fortunately for Sophos users, the redirection script loaded in the SEO pages is pro-actively blocked as Mal/ObfJS-X.

The second redirection script that this would load is responsible for redirecting the user to the payload (assuming they came via a search engine). Interestingly, this script also checks the OS, choosing to redirect Linux/Max users to a different site.

  • Mac/Linux: user is redirected to suspicious looking movie download site. (There was no apparent malware on the site at the time of writing.)
  • Windows: user is redirected to the fake AV site, where they get the usual fake system scan and warning messages.

Detection for the actual fake AV malware installed from this site has been added as Troj/FakeAV-AEA.

I have contacted the admins for the site in question so they can clean up, and secure their site against future attacks.