Last year, during the UK local elections, I blogged about how the Communist Party of Britain’s website was infected. Earlier today, I noticed that the site had once again been infected this time with different malware. This infection, like the last, is at a politically sensitive time due to today being the UK Budget. Luckily, since contacting them they have cleaned up the site (one of the fastest turnarounds we have seen).
The INDEX.HTML here contains an obfuscated SCRIPT detected as Mal/Iframe-F that would attempt to load further malicious script content from a Swedish website, detected as Mal/ObfJS-BP.
The APPLET that is to be loaded is detected as Mal/ClsDLod-A and would try to download the same payload from the Swedish website. Decompiling the JAR with JAD:
The payload executable (‘load.exe’) is currently detected as Mal/Dropper-AB. It appears to be an installer for a Zbot variant (infamous family of banking Trojans, sometimes known as Zeus).
This copy of Mal/Dropper-AB includes functionality to:
– run automatically
– steal confidential information
– access the internet and communicate with a remote server via HTTP
Mal/Dropper-AB communicates via HTTP hacked site in Germany.
When Mal/Dropper-AB is run it will fire the following HIPS rules:
When Mal/Dropper-AB is installed it creates the file \sdra64.exe.
The following registry entry is changed to run sdra64.exe on startup:
Registry entries are created under:
HKCU\Software\Microsoft\Protected Storage System Provider
Then the INDEX.HTML will redirect the user to the legitimate Communist party webpage INDEX.PHP. The INDEX.HTML in this case is totally malicious and being used because a vanilla web server will attempt to serve it up first.