Below is the analysis of a single sample taken from the final list of infected sites we have seen propagating this threat.
First, there is the obfuscation of a small JS inclusion into a potentially legitimate site. This is where the CookieBomb sets a name, special variable, expiry date, and access path for the eventual infection. If the cookie is not readily available, it will create one for you and redirect you to another obfuscated hidden iFrame. Once the hidden site is visited, it will read the cookie's expiry date and provide redirection and infection at a later point to avoid security vendor detection.
|Figure 1: Obfuscated Code|
Please note that the comment at the top of the image ("/*0f24908*/") is changed and is not therefore useful for detection.
|Figure 2: De-obfuscated code from Fig.1|
In the deobfuscated code above, we see another URL delivered in a 1px iFrame. Going to this site leads to yet another obfuscated page, where the real magic happens. The very first thing that it does is attempt to confirm the version of browser plug-ins the attackers are up against.
|Depending on the version installed, it will send the next portion of the attack.|
The final step sends the malicious payload that the attackers went to so much trouble to obfuscate.
|Obfuscated content from the obfuscated content|
The final drop for this content is a malicious executable that is delivering a small Trojan. At the time of research, only 7/45 vendors were detecting this content as malicious.
|Fiddler session with malicious content being dropped. (Readme.exe in this case. Calc.exe in others.)|
For the last several weeks, this attack has impacted the below sites:
The most notable site here is splashtop.com, however, the malicious content has since been removed. Since AV seems to be uninterested in protecting against this threat, it is advisable to make sure your browsing is safe through other means.
Technical Research: Krishnan Subramanian