One of our blog readers, Mr. Jon Leathery informed me yesterday about a link in a Google News search leading to a malicious website. “Laurence Fishburne leaving CSI”, was a popular topic recently and was being taken advantage of to spread malware. Here is the screenshot of a Google news search with that term:
Once decoded, it will reveal a script tag, pointing to a malicious website. Here is the decoded content:
The above code is highly obfuscated with every string randomized. Automated analysis tools failed to decode it and manual analysis was required, which I will explain in a separate blog. The above malicious exploit code exploits various known vulnerabilities to download additional malware on the system. Here is the Fiddler
capture of the malicious requests:
The exploit code downloads multiple malicious JAR files on the system after exploitation. The VirusTotal
results remains very poor for one of the malicious JAR files, with only 2 out of 43 Antivirus triggering on it. Fake Antivirus pages also commonly use the technique of checking referrer strings before loading page content. The malicious content is only loaded if the victim is coming from a Google search page. The trust that people place in Google search results is being abused to social engineer victims into believing that malicious search result links are safe. Unfortunately, nothing could be further from the truth.