Recently, I learnt that attackers compromised Gizmodo’s Brazilian regional site. The attackers were able to modify the Gizmodo main page to add a script which redirected them to another compromised website. This second compromised site was hosted in Sweden, and used a .se domain name. The attackers also uploaded a web shell onto this site (the site hosted in Sweden) to keep control of this server.
Opening the compromised site loads a malicious URL, which contains a fake Adobe Flash download page in Portuguese:
Figure 1. Fake Flash download page
This file is actually a backdoor detected as BKDR_GRAFTOR.GHR. (It should also be noted that the current Flash Player version is 18.104.22.168, a far cry from the version advertised on this page.)
This backdoor was actually hosted on Google Drive; trying to download it now gives a message that it has reached the download limit.
Figure 2. Google Drive message
We can see that attackers used a legitimate service in order to trick users into thinking that the downloaded file was not malicious. Based on our investigation, another website – this one belonging to a logistics firm – was compromised in a similar way. Both Gizmodo and this logistics firm’s site were hosted on UOL, the biggest ISP and content provider in Brazil. We are currently investigating if a vulnerability was used in order to penetrate the web servers.
Gizmodo Brazil was notified of this threat and immediately removed the compromised code from their servers. In addition, we have notified Google about the malicious file hosted on Google Drive so it can be deleted as well. Trend Micro products already block the various aspects of this threat.
Update as of 11:25 PM, July 30, 2014
The hash involved in this attack is :
Update as of 1:40 PM, August 4, 2014
The detection BKDR_GRAFTOR.GHR has been renamed to BKDR_QULKONWI.GHR.