Unsuspecting users who may wish to buy (or simply admire) the new Honda Accord are warned that may fall victim to a drive-by download, leading to the installation of an info-stealing malware. TrendLabs discovered today an attack on the official web site of Honda Cars in Thailand.
According to Advanced Threats Researcher Jonell Baltazar, who discovered the compromise, the affected page, hxxp://www.honda.co.th:80/accord, was injected with a malicious script tag (detected by Trend Micro as HTML_IFRAME.QJ), which loads a page within the cleverly named getanewmazda.info domain. This page contains a script that looks for vulnerabilities to download and execute a certain file on the victim’s system. The downloaded file (which is named crypt.exe and saved as c:winQZfio771.exe) is detected as TSPY_ZBOT.LA.
This compromise was discovered due to a feedback technology on our customers’ products. This mechanism allows our systems to monitor and block potential malicious URLs. In this case, a client visit to the compromised site automatically registered the HTML_IFRAME.QJ detection, thereby protecting the user from further infection. Trend Micro Web Threat Protection has prevented access to the compromised site, protecting customers from possible infection.
Below is a screenshot of the compromised page within the Honda Cars site. Note that the malicious script also affects both the English and Thai landing pages (main.html) after a user accesses any one of them:
The downloaded TSPY_ZBOT.LA, in turn, accesses yet another domain, where possibly more malicious files can be downloaded. As of this writing, our researchers found user names and passwords related stored in this domain, suggesting that it is used either as a phishing page or mere storage in which cyber criminals can easily retrieve stolen information.
This is not the first time a Thai site has been compromised. In the past couple of months, we have reported similar incidents affecting the sites of the Royal Thai Air Force and Udiya Tours of Northern Thailand, among others.
Note that this seems to be an isolated incident so as far as the Honda enterprise is concerned, only Honda Cars Thailand site has been injected with the malicious script. As of this writing, Honda Cars Thailand has promptly taken their site offline in order to address the matter.
Consolidated findings of the Advanced Threats Research, APAC RTL, and Web Threat Protection teams at TrendLabs