Jobs website of major hotel chain serving malware, linked to other attacks

Filed Under: Featured, Malware, SophosLabs, Vulnerability

Hotel reception. Image from ShutterstockThe jobs website of a major international hotel chain is silently serving up malware to visitors.

Seemingly based upon a malicious script which was being used in attacks exploiting the as-yet-unpatched Windows XML Core zero-day vulnerability, the newly discovered code is detected by Sophos products as Troj/JSRedir-HT.

Although the attack shares the same hallmarks of earlier attacks against an aeronautical parts supplier and a medical company, this latest incident does not exploit the Microsoft zero-day vulnerability.

What is unclear is whether the script used in the attack on the hotel jobs website predates the attacks on the other organisations, which do exploit the vulnerability.

An examination of the suspicious files on the jobs website makes the connection apparent:

A single line of code, hidden in the site's main index.html homepage, loads a malicious script called icon.js:

Malicious script

icon.js is a Dean Edwards packed (see Fraser Howard's technical paper "Malware with your Mocha" for an explanation of this obfuscating packer) JavaScript that loads a further file called media_view.html within an iFrame.

Malicious iFrame

The file media_view.html loads deployJava.js (which is identical to the script found on the compromised European medical website) and Geoffrey.swf.

Geoffrey.swf is loaded via parameter 'Elderwood=<long hex string>' and loads a file called map.exe.

The file map.exe is a data file, but it looks vaguely like an .EXE in structure:

Hex dump of map.exe

XORing the first two bytes with MZ reveals the short word 0x9595. XORing the whole file with 0x95 leaves a file that looks very like an executable file but it doesn't run.

This is because the malware author has played a little trick: if the byte in the file is either 0x00 or 0x95 they do not XOR it!

So I knocked up a little python script to reverse this trick:

b = bytearray(open('map.exe', 'rb').read())
for i in range(len(b)):
    if b[i] == 0x00 or b[i] == 0x95:
        b[i] ^= 0x95
open('map.out', 'wb').write(b)

Using this method I was able to reveal the file as a valid working .EXE.

Decrypted executable file

Of course, it's a Trojan horse - and SophosLabs is adding detection for it as Troj/Yolped-A.

In summary, here are the code similarities between this attack and the attacks seen against the European medical and aeronautics website:

      Use of deployJava.js
      Use of SWFs with parameters Apple or Elderwood =<long hex string>
      Other reuse examples within the scripts

I am sure that these attacks are perpetrated by the same gang (possibly state-sponsored) and I am calling this code bundle the yolped pack.

(If you're curious about the name "yolped" it's "deploy" backwards).

Sophos is in the process of contacting the hotel chain concerned, and we hope their website will be cleaned up shortly.

Bell on hotel reception desk image courtesy of Shutterstock.

, , , , ,

You might like

5 Responses to Jobs website of major hotel chain serving malware, linked to other attacks

  1. Good work Paul.

  2. Steve D · 1203 days ago

    Hi Paul, .. you don't mention the actual site, so what is stopping others from being infected in the meantime?

    I can understand the need for sensitivity here, but it is leaving others open to infection at the moment, and my guess is that the hotel chain will not take the link down until a fix is available

    • Tim · 1197 days ago

      I can understand your point, but it really is a double edged sword in these sort of situations.

      By posting the names of these sites, you lower the chance people will visit the sites by accident, but heighten the chance that people will visit these sites by curiosity. I personally think that being warned to be wary about any hotel based recruitment sites is specific enough to give a general warning, without pushing more users onto the site.

      (Though don't get me wrong I'd love to start up a VM test lab and go play in the malware ballpit)

  3. Mark · 1202 days ago

    Once again, basic security screening would prevent this from happening. Obviously, a previously undiscovered vulnerability cannot be prevented, but basic security checking such as a report when any files in the website change should be in practice. if a file changes out of band or the author is surprised by the change, then the file is suspect.

  4. f0real · 1074 days ago

    There are also other ones related to the CVE-2012-4969 IE zero day that use that same modified XOR encryption with the key 0x70

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul O Baccas (aka pob) joined Sophos in 1997 after studying Engineering Science at Oxford University. After nearly 16 years, he has left Sophos to pastures new and will be writing as an independent malware researcher. Paul has: published several papers, presented at several Virus Bulletins and was a technical editor for "AVIEN Malware Defense Guide". He has contributed to Virus Bulletin and is a frequent contributor to the NakedSecurity blog.