The jobs website of a major international hotel chain is silently serving up malware to visitors.
Seemingly based upon a malicious script which was being used in attacks exploiting the as-yet-unpatched Windows XML Core zero-day vulnerability, the newly discovered code is detected by Sophos products as Troj/JSRedir-HT.
Although the attack shares the same hallmarks of earlier attacks against an aeronautical parts supplier and a medical company, this latest incident does not exploit the Microsoft zero-day vulnerability.
What is unclear is whether the script used in the attack on the hotel jobs website predates the attacks on the other organisations, which do exploit the vulnerability.
An examination of the suspicious files on the jobs website makes the connection apparent:
A single line of code, hidden in the site’s main index.html homepage, loads a malicious script called icon.js:
The file media_view.html loads deployJava.js (which is identical to the script found on the compromised European medical website) and Geoffrey.swf.
Geoffrey.swf is loaded via parameter ‘Elderwood=<long hex string>’ and loads a file called map.exe.
The file map.exe is a data file, but it looks vaguely like an .EXE in structure:
XORing the first two bytes with MZ reveals the short word 0x9595. XORing the whole file with 0x95 leaves a file that looks very like an executable file but it doesn’t run.
This is because the malware author has played a little trick: if the byte in the file is either 0x00 or 0x95 they do not XOR it!
So I knocked up a little python script to reverse this trick:
b = bytearray(open('map.exe', 'rb').read()) for i in range(len(b)): if b[i] == 0x00 or b[i] == 0x95: next else: b[i] ^= 0x95 open('map.out', 'wb').write(b)
Using this method I was able to reveal the file as a valid working .EXE.
Of course, it’s a Trojan horse – and SophosLabs is adding detection for it as Troj/Yolped-A.
- Use of deployJava.js
- Use of SWFs with parameters Apple or Elderwood =<long hex string>
- Other reuse examples within the scripts
I am sure that these attacks are perpetrated by the same gang (possibly state-sponsored) and I am calling this code bundle the yolped pack.
(If you’re curious about the name “yolped” it’s “deploy” backwards).
Sophos is in the process of contacting the hotel chain concerned, and we hope their website will be cleaned up shortly.Follow @SophosLabs
Bell on hotel reception desk image courtesy of Shutterstock.