Research Project Manager Ivan Macalintal discovered a few hours ago that a Thailand-based tourism and travel site appears to have been compromised to serve malware. This discovery follows closely on the heels of the Thai Royal Air Force site compromise just a week ago.
Looking at the season, summer holidays are coming up soon in Asia and Bangkok is a strong contender for being the most popular Asian tourist spot. Malware authors may therefore be counting on this to drive traffic to the hacked site.
Clicking the link on the landing page of the Udiya Tour of Northern Thailand Web site redirects the user’s browser to a certain URL, which also redirects to yet another URL that contains multiple browser exploits ultimately leading to the download of a file named UPDATE.EXE. The said file is a variant of the LDPINCH family, which is known for their information theft routines.
Trend Micro users with updated patches are protected from this threat. We already detect this malware as TSPY_LDPINCH.FE using pattern file number 4.974.05.
Thanks to Network Architect Paul Ferguson for contacting ThaiCERT about this site compromise.