Trend Micro threat researchers were recently alerted to yet another Web threat being perpetrated on a very popular e-commerce Web site, but with a new twist: this threat had all the markings of a Chinese-related, cyber-underground maneuver.
Research Project Manager Ivan Macalintal reported that almost 300 pages on the said site had been injected by malware code that redirects to a number of URLs, which eventually lead to a .TXT file full of links to yet more malware. Most of the infected pages were found to be ViewItem pages of gold-plated jewelry like the one below.
Below is an image of the infection chain:
The first three redirections lead the victim to URLs all detected by Trend Micro as JS_ADODB.FP.
The third redirection connects the victim to various exploit codes detected as the following:
- hxxp://www.mvoe.cn/all/a014.js – HTML_ADODB.EP
- hxxp://www.mvoe.cn/all/arl.js – TROJ_REPL.CE
- hxxp://www.mvoe.cn/all/abf.js – HTML_SHELLCOD.DE
- hxxp://www.mvoe.cn/all/alz.htm – TROJ_IFRAMEBO.BD
- hxxp://www.mvoe.cn/all/anrl.htm – TROJ_EXPLOIT.FP
All the aforementioned pages then connect to hxxp://w.117b.cn/net/are.exe, which is detected as PE_CAOLYWA.E-O. Upon connection, a config file is accessed, located at hxxp://w.117b.cn/config.txt. This file now contains the bulk load of malware code, which connects to 30 URLs to download TROJ_DLOADER and TSPY_ONLINEG variants.
That is obviously not good.
That is what could have happened, had the code worked successfully. Further research by threat analysts reveals that this “bouncing Web threat” never got its bounce to begin with; a missing tag prevented the infection chain from actually ever taking place.
A related malware link has also been found by researchers disclosing that more malicious files may be stored in the same domain: hxxp://w.117b.cn/net/new.htm was found to be detected as JS_ADODB.FP, which also connects to the same exploit codes used in the foiled attack against the popular e-commerce company.
A close call indeed, but Trend Micro isn’t taking any chances. This same attack may have been used in other sites than just this popular e-commerce site and may have unfortunately worked like a charm. Trend Micro customers are already protected from this threat. All involved malicious URLs are now blocked by WTP (Web Threat Protection). Trend Micro advises users to keep the URL Filtering feature enabled in their product.
At the time of writing, Trend Micro has advised the concerned site of the attempted attack in order that any affected pages can be cleaned up.