Jobs website of major hotel chain serving malware, linked to other attacks

Hotel reception. Image from ShutterstockThe jobs website of a major international hotel chain is silently serving up malware to visitors.

Seemingly based upon a malicious script which was being used in attacks exploiting the as-yet-unpatched Windows XML Core zero-day vulnerability, the newly discovered code is detected by Sophos products as Troj/JSRedir-HT.

Although the attack shares the same hallmarks of earlier attacks against an aeronautical parts supplier and a medical company, this latest incident does not exploit the Microsoft zero-day vulnerability.

What is unclear is whether the script used in the attack on the hotel jobs website predates the attacks on the other organisations, which do exploit the vulnerability.

An examination of the suspicious files on the jobs website makes the connection apparent:

A single line of code, hidden in the site’s main index.html homepage, loads a malicious script called icon.js:

Malicious script

icon.js is a Dean Edwards packed (see Fraser Howard’s technical paper “Malware with your Mocha” for an explanation of this obfuscating packer) JavaScript that loads a further file called media_view.html within an iFrame.

Malicious iFrame

The file media_view.html loads deployJava.js (which is identical to the script found on the compromised European medical website) and Geoffrey.swf.

Geoffrey.swf is loaded via parameter ‘Elderwood=<long hex string>’ and loads a file called map.exe.

The file map.exe is a data file, but it looks vaguely like an .EXE in structure:

Hex dump of map.exe

XORing the first two bytes with MZ reveals the short word 0x9595. XORing the whole file with 0x95 leaves a file that looks very like an executable file but it doesn’t run.

This is because the malware author has played a little trick: if the byte in the file is either 0x00 or 0x95 they do not XOR it!

So I knocked up a little python script to reverse this trick:

b = bytearray(open('map.exe', 'rb').read())
for i in range(len(b)):
    if b[i] == 0x00 or b[i] == 0x95:
        b[i] ^= 0x95
open('map.out', 'wb').write(b)

Using this method I was able to reveal the file as a valid working .EXE.

Decrypted executable file

Of course, it’s a Trojan horse – and SophosLabs is adding detection for it as Troj/Yolped-A.

In summary, here are the code similarities between this attack and the attacks seen against the European medical and aeronautics website:

      Use of deployJava.js
      Use of SWFs with parameters Apple or Elderwood =<long hex string>
      Other reuse examples within the scripts

I am sure that these attacks are perpetrated by the same gang (possibly state-sponsored) and I am calling this code bundle the yolped pack.

(If you’re curious about the name “yolped” it’s “deploy” backwards).

Sophos is in the process of contacting the hotel chain concerned, and we hope their website will be cleaned up shortly.

Bell on hotel reception desk image courtesy of Shutterstock.