• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   Gizmodo Brazil Compromised, Leads to Backdoor

Gizmodo Brazil Compromised, Leads to Backdoor

  • Posted on:July 30, 2014 at 1:04 pm
  • Posted in:Malware
  • Author:
    Fernando Mercês (Senior Threat Researcher)
0

Recently, I learnt that attackers compromised Gizmodo’s Brazilian regional site. The attackers were able to modify the Gizmodo main page to add a script which redirected them to another compromised website. This second compromised site was hosted in Sweden, and used a .se domain name. The attackers also uploaded a web shell onto this site (the site hosted in Sweden) to keep control of this server.

Opening the compromised site loads a malicious URL, which contains a fake Adobe Flash download page in Portuguese:

Figure 1. Fake Flash download page

This file is actually a backdoor detected as BKDR_GRAFTOR.GHR. (It should also be noted that the current Flash Player version is 14.0.0.145, a far cry from the version advertised on this page.)

This backdoor was actually hosted on Google Drive; trying to download it now gives a message that it has reached the download limit.

Figure 2. Google Drive message

We can see that attackers used a legitimate service in order to trick users into thinking that the downloaded file was not malicious. Based on our investigation, another website – this one belonging to a logistics firm – was compromised in a similar way. Both Gizmodo and this logistics firm’s site were hosted on UOL, the biggest ISP and content provider in Brazil. We are currently investigating if a vulnerability was used in order to penetrate the web servers.

Gizmodo Brazil was notified of this threat and immediately removed the compromised code from their servers. In addition, we have notified Google about the malicious file hosted on Google Drive so it can be deleted as well. Trend Micro products already block the various aspects of this threat.

Update as of 11:25 PM, July 30, 2014

The hash involved in this attack is :

  • cd9efd3652b69be841c2929ec87f3108571bf285

Update as of 1:40 PM, August 4, 2014

The detection BKDR_GRAFTOR.GHR has  been renamed to  BKDR_QULKONWI.GHR.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: adobe flashcompromised siteGizmodo BrazilGoogle Drive

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.