Trend Micro threat analysts were alerted to another mass compromise attack affecting around 55,000 consumer-oriented sites spread throughout Canada, China, the United Kingdom, and India as of the first report.
This incident is a painful reminder of the persisting risk of unprotected Web-surfing. In this particular case, the malicious scripts injected in the legitimate sites lead to other sites that eventually resolve to the download of the following backdoor programs and components:
- axa0727.exe-1 (BKDR_REFPRON.FH)
- d.binaxa072776988 (TROJ_REFPRON.FI)
- ms.binaxa0727588773 (TROJ_REFPRON.FJ)
- so.binaxa0727737721 (BKDR_REFPRON.FH)
The backdoors drop other components and connect to other IP addresses to download other malware with further the risk for users.
Trend Micro Web Threat Protection-enabled products have already been blocking the infection chain starting with the injected scripts’ related domains and URLs down to the URLs hosting the malicious binaries.
As of this writing, searching for the offending script yields 99,000 results.