Zscaler Data Protection Recognized as a 2023 Product of the Year by CRN

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

CookieBomb Still Dropping Malicious Content

August 15, 2013 - 4 min read

Cookiebomb is malicious obfuscated javascript injected into legitmate sites.  We've talked on this blog about compromised sites before, but this one appears to still be fully functional and actively spreading malicious content to unsuspecting users.  The talent at MalwareMustDie is onto their shenanigans as well.  As they have mentioned, this is a multi-redirection exploitation that uses two stage obfuscation to hide it's malicious payload.  The curious thing about this situation is that few AV vendors have taken note of the good research.  The final dropped file is being detected by only 7/45 vendors.

Below is the analysis of a single sample taken from the final list of infected sites we have seen propagating this threat.

First, there is the obfuscation of a small JS inclusion into a potentially legitimate site.  This is where the CookieBomb sets a name, special variable, expiry date, and access path for the eventual infection.  If the cookie is not readily available, it will create one for you and redirect you to another obfuscated hidden iFrame.  Once the hidden site is visited, it will read the cookie's expiry date and provide redirection and infection at a later point to avoid security vendor detection.

Figure 1: Obfuscated Code

Please note that the comment at the top of the image ("/*0f24908*/") is changed and is not therefore useful for detection.

Figure 2: De-obfuscated code from Fig.1

In the deobfuscated code above, we see another URL delivered in a 1px iFrame.  Going to this site leads to yet another obfuscated page, where the real magic happens.  The very first thing that it does is attempt to confirm the version of browser plug-ins the attackers are up against.




Depending on the version installed, it will send the next portion of the attack. 


The final step sends the malicious payload that the attackers went to so much trouble to obfuscate.  









Attack URLs






Obfuscated content from the obfuscated content

The final drop for this content is a malicious executable that is delivering a small Trojan.  At the time of research, only 7/45 vendors were detecting this content as malicious.







Fiddler session with malicious content being dropped.  (Readme.exe in this case.  Calc.exe in others.)


For the last several weeks, this attack has impacted the below sites:







  •  hxxp://www.citytavern.com/
  • hxxp://www.usadu.cz/park-en/
  • hxxp://bluen.de/jobborse/
  • hxxp://bluen.de/
  • hxxp://www.niblackfuneralhome.com/
  • hxxp://www.kinwindsor.com/
  • hxxp://www.mtldesign.net/
  • hxxp://javiervazquez.me/ernesto/fdjw3hv7.php
  • hxxp://www.cmfurniturerental.com/
  • hxxp://sdrs.splashtop.com/strs01/macupdatenotes/en-us/strs01.html
  • hxxp://www.nauticodiver.de/tauchbas.htm
  • hxxp://www.tmv-alsace-vtt.com/f/parcours.htm
  • hxxp://www.cmstaging.com/
  • hxxp://educationdegreeonlines.com/benefit-from-studying-with-the-laptop/
  • hxxp://www.gute-reise-berlin.de/aussteller.html
  • hxxp://lexespana.com/comunes                                                                                                          
  • hxxp://livehappylife.com/
  • hxxp://corpdeli.com/
  • hxxp://www.sudan-sudan.com/sudan/architecture-sudan-sudan.html
  • hxxp://www.cmfurniturerental.com/index.php?main_page=index&cPath=114&zenid=8557f58ea51118a7bd633015e3b954ec
  • hxxp://www.cherokeecountysc.com/id26.html
  • hxxp://www.gute-reise-berlin.de/startseite.html
  • hxxp://www.selbstversuch-spanien.de/
  • hxxp://educationdegreeonlines.com/
  • hxxp://www.nauticodiver.de/schule.htm
  • hxxp://bluen.de/uber-uns/
  • hxxp://www.nauticodiver.de/impresssum.htm
  • hxxp://www.imschuh.de/
  • hxxp://www.nauticodiver.de/preisliste.htm
  • hxxp://familyreunion.blackamericaweb.com/
  • hxxp://bluen.de/jobborse/spezialist-in-akustikversuch/
  • hxxp://www.uppertraining.com/blog/cisco-mobile-apps-cover-a-surprising-range-of-functionality/
  • hxxp://www.opheij.nl/contact.html
  • hxxp://www.hotelmirallac.com/castellano/tarifas.htm
  • hxxp://www.sugargrovechamber.org/member_listing/34/curt+john+karas,+cpa,+mba,+pc/
  • hxxp://www.kinwindsor.com/favicon.ico
  • hxxp://glassdoctor-denver.calls.net/?gclid=CPLt2r3F-LgCFUFyQgodZxwAjQ
  • hxxp://bluen.de/jobborse/spezialist-in-logistikplanung/
  • hxxp://dreamliftgifts.com/faq.html
  • hxxp://www.gute-reise-berlin.de/kontakt.html
  • hxxp://www.plomberiumpierrefonds.ca/robinets-de-cuisine/
  • hxxp://www.cerexagri.nl/
  • hxxp://www.mrbouncehouse.com/
  • hxxp://guia.lexespana.com/familia/servicio-domestico/extincion-del-contrato/
  • hxxp://www.nauticodiver.de/start.htm
  • hxxp://corpdeli.com/lunch-menu
  • hxxp://www.hotelmirallac.com/castellano/habitaciones.htm
  • hxxp://www.nauticodiver.de/
  • hxxp://www.heapoil.org
  • hxxp://www.mtldesign.net/aboutus.htm
  • hxxp://www.le-vieux-four.com/
  • hxxp://www.cleargridsolutions.com/developer.html
  • hxxp://www.horseridingfun.com/
  • hxxp://educationdegreeonlines.com/2013/07/

The most notable site here is splashtop.com, however, the malicious content has since been removed.  Since AV seems to be uninterested in protecting against this threat, it is advisable to make sure your browsing is safe through other means.

Technical Research: Krishnan Subramanian

form submtited
Thank you for reading

Was this post useful?

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.