On Monday of this week Tre.it, the website of a major Italian cellular provider, served malware to visitors via drive-by downloads. The set of requests that began with a visit to the Tre.it index page and ended with the installation of malware is as follows.
hxxp://tre[.]it
-> hxxp://www[.]tre[.]it
–> hxxp://www[.]tre[.]it/res/js/adv/adv.js
—> hxxp://adv[.]tre[.]it/www/delivery/spc.php?zones=<…>
—-> hxxp://scream[.]padsandpalaces[.]com/js/ads/show_ads.js?ver=4
—–> hxxp://nissan[.]charubhashini[.]info:9290/updates/help/js/wifi.php?styles=343
——> hxxp://nn[.]rainbowthots[.]in:9290/style.php?howto=<…>
In the above chain, wifi.php?styles=343 contains obfuscated malicious content generated by a new variant of the Sweet Orange Exploit Kit. Included in the file is an exploit for CVE-2013-2551, which successfully compromised the browser in our URL analysis honeypot. Uploading the file to VirusTotal reveals that just 1 of 55 tools successfully identify the exploit as malicious.
As always, a PCAP capture file attesting to the details of this event is available via Threatglass.
Christine Barry est Senior Chief Blogger et Social Media Manager chez Barracuda. Avant de rejoindre Barracuda, Christine a été ingénieur de terrain et chef de projet pour des clients K12 et PME pendant plus de 15 ans. Elle est titulaire de plusieurs diplômes en technologie et en gestion de projet, d'un "Bachelor of Arts" et d'un "Master of Business Administration".Elle est diplômée de l'université du Michigan.
Connectez-vous avec Christine sur LinkedIn.
