Sophos Cloud Optix
Previously, SophosLabs has spoken about Embassy and Consulate websites being infected:
- U.S. Consulate General in St. Petersburg, Russia
- India’s Embassy in Spain
- Embassy of Ethiopia in Washington, D.C.
- The Republic of Sudan in London
Over the past few weeks SophosLabs has seen three more Embassy/Consulate sites join this list:
- Pakistan Consulate in Houston, Texas
- Embassy Republic of Iraq in Tehran, Iran
- Embassy Republic of Sudan in Tehran, Iran
Are embassies being targeted?
No. They are just a microcosm of the Internet
There are ~200 countries in the world and each of those has ~1 Embassy/Consulate/High Commission in each of the other countries.
So that makes 200×200 = 40 000 websites
7/ 40 000 = 0.0175%
The above rough workings suggests that the percentage of infected websites is approximately 0.02%.
What malware is on these sites?
Mal/Iframe-F is the culprit for the Pakistani and Sudanese sites and Mal/ObfJS-BI for the Iraqi site.
The Mal/ObfJS-BI redirects to an iframe referencing an IP address registered in St. Petersburg, Russia. The Mal/Iframe-F reference two distinct domains one a .CN and the other a .BIZ (registered in Russia).