Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    November 2014
    S M T W T F S
    « Oct    
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    30  
  • About Us

    Recently, I learnt that attackers compromised Gizmodo’s Brazilian regional site. The attackers were able to modify the Gizmodo main page to add a script which redirected them to another compromised website. This second compromised site was hosted in Sweden, and used a .se domain name. The attackers also uploaded a web shell onto this site (the site hosted in Sweden) to keep control of this server.

    Opening the compromised site loads a malicious URL, which contains a fake Adobe Flash download page in Portuguese:

    Figure 1. Fake Flash download page

    This file is actually a backdoor detected as BKDR_GRAFTOR.GHR. (It should also be noted that the current Flash Player version is 14.0.0.145, a far cry from the version advertised on this page.)

    This backdoor was actually hosted on Google Drive; trying to download it now gives a message that it has reached the download limit.

    Figure 2. Google Drive message

    We can see that attackers used a legitimate service in order to trick users into thinking that the downloaded file was not malicious. Based on our investigation, another website – this one belonging to a logistics firm – was compromised in a similar way. Both Gizmodo and this logistics firm’s site were hosted on UOL, the biggest ISP and content provider in Brazil. We are currently investigating if a vulnerability was used in order to penetrate the web servers.

    Gizmodo Brazil was notified of this threat and immediately removed the compromised code from their servers. In addition, we have notified Google about the malicious file hosted on Google Drive so it can be deleted as well. Trend Micro products already block the various aspects of this threat.

    Update as of 11:25 PM, July 30, 2014

    The hash involved in this attack is :

    • cd9efd3652b69be841c2929ec87f3108571bf285

    Update as of 1:40 PM, August 4, 2014

    The detection BKDR_GRAFTOR.GHR has  been renamed to  BKDR_QULKONWI.GHR.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice