Information has been scattered all over the internet. Links after links are being distributed over the web through Facebook, Youtube, blogs, emails, text messages and any other form of online communication. Having said that, this also includes good and bad links which can cause problems to the visitors of these links. Unpatched sites are being exploited with a lot of infected redirections and do contain payloads to attack.
A couple of weeks ago, we received a report about an unauthorized connection that the site makes whenever a visitor checks it. Upon investigating the site, we have traced the infection. A regular user would be having a hard time dissecting the codes to find out the reason for the redirection. The code has been carefully inserted in between the whole site. In this example, it has been injected in the different scripts of the CMS.
The code looks like this:
The decrypted code looks like this:
The decrypted code:
- Makes an HTTP request to the URL that will be decrypted
- Requests a file to be downloaded
At the time of the analysis, the redirected file was almost empty but it leaves a hint though and can be replaced anytime by anything:
The downloaded hint looks like this:
VBE files nowadays are being used for the downloading of payloads which are usually a ransomware. As per Google, VBE files are Executable Files primarily associated with VBScript Encoded Script File. This types of files can be executed on the victim's machine automatically.
Nowadays, VBE files are being abused by the attackers to download the payload for their attacks.
How did the site get injected?
Simply, the owner of the site was not able to perform the update on time - also called the "Zero-Day" period. During which, the hacker attacks are the deadliest as they hit the not updated sites. Once, infected, the hacker can do whatever he wants to the site.
For the website Admins, it is crucial to run updates as soon as a patch has been released to minimize the Zero-day period and prevent an attack the site. For the visitors, it is highly important to be vigilant and to be extra careful with your browsing habits, as this can lead to your computer or any other browsing device getting infected.
Your website is infected with the malware or blocked by the search engines?
Here at Quttera we are cleaning this and other kinds of malware on a daily basis. If you would like our malware analysts to help you, just select appropriate ThreatSign! Anti-Malware plan and get back online.
For other issues and help: Quttera help-desk