Sophos Cloud Optix
The jobs website of a major international hotel chain is silently serving up malware to visitors.
Seemingly based upon a malicious script which was being used in attacks exploiting the as-yet-unpatched Windows XML Core zero-day vulnerability, the newly discovered code is detected by Sophos products as Troj/JSRedir-HT.
Although the attack shares the same hallmarks of earlier attacks against an aeronautical parts supplier and a medical company, this latest incident does not exploit the Microsoft zero-day vulnerability.
What is unclear is whether the script used in the attack on the hotel jobs website predates the attacks on the other organisations, which do exploit the vulnerability.
An examination of the suspicious files on the jobs website makes the connection apparent:
A single line of code, hidden in the site’s main index.html homepage, loads a malicious script called icon.js:
icon.js is a Dean Edwards packed (see Fraser Howard’s technical paper “Malware with your Mocha” for an explanation of this obfuscating packer) JavaScript that loads a further file called media_view.html within an iFrame.
The file media_view.html loads deployJava.js (which is identical to the script found on the compromised European medical website) and Geoffrey.swf.
Geoffrey.swf is loaded via parameter ‘Elderwood=<long hex string>’ and loads a file called map.exe.
The file map.exe is a data file, but it looks vaguely like an .EXE in structure:
XORing the first two bytes with MZ reveals the short word 0x9595. XORing the whole file with 0x95 leaves a file that looks very like an executable file but it doesn’t run.
This is because the malware author has played a little trick: if the byte in the file is either 0x00 or 0x95 they do not XOR it!
So I knocked up a little python script to reverse this trick:
b = bytearray(open('map.exe', 'rb').read())
for i in range(len(b)):
if b[i] == 0x00 or b[i] == 0x95:
next
else:
b[i] ^= 0x95
open('map.out', 'wb').write(b)
Using this method I was able to reveal the file as a valid working .EXE.
Of course, it’s a Trojan horse – and SophosLabs is adding detection for it as Troj/Yolped-A.
In summary, here are the code similarities between this attack and the attacks seen against the European medical and aeronautics website:
- Use of deployJava.js
- Use of SWFs with parameters Apple or Elderwood =<long hex string>
- Other reuse examples within the scripts
I am sure that these attacks are perpetrated by the same gang (possibly state-sponsored) and I am calling this code bundle the yolped pack.
(If you’re curious about the name “yolped” it’s “deploy” backwards).
Sophos is in the process of contacting the hotel chain concerned, and we hope their website will be cleaned up shortly.
Bell on hotel reception desk image courtesy of Shutterstock.
Good work Paul.
Hi Paul, .. you don't mention the actual site, so what is stopping others from being infected in the meantime?
I can understand the need for sensitivity here, but it is leaving others open to infection at the moment, and my guess is that the hotel chain will not take the link down until a fix is available
I can understand your point, but it really is a double edged sword in these sort of situations.
By posting the names of these sites, you lower the chance people will visit the sites by accident, but heighten the chance that people will visit these sites by curiosity. I personally think that being warned to be wary about any hotel based recruitment sites is specific enough to give a general warning, without pushing more users onto the site.
(Though don't get me wrong I'd love to start up a VM test lab and go play in the malware ballpit)
Once again, basic security screening would prevent this from happening. Obviously, a previously undiscovered vulnerability cannot be prevented, but basic security checking such as a report when any files in the website change should be in practice. if a file changes out of band or the author is surprised by the change, then the file is suspect.
There are also other ones related to the CVE-2012-4969 IE zero day that use that same modified XOR encryption with the key 0x70