Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of Zscaler’s special offer today

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research SideNote: "CuteQQ"

June 10, 2010 - 2 min read

A report of the malicious JavaScript on can be seen in this Wepawet report. I noticed that within the JS, the variable name "cuteqq" was used for evaluating the payload - this sounded really familiar. Google "cuteqq malware" and 784 results returned ... CuteQQ is actually a browser exploit toolkit that was popular during 2008. Google for "var cuteqq" and there are several more interesting results including those marked "This site may harm your computer."

Here is a VirusTotal report for an early version of the CVE-2010-0249 ("Aurora") exploit, showing that the malicious binary was authored by the "Cuteqq Software Team"

"Cuteqq" does seem to have its usage in several Chinese exploits / variable names. (QQ is a popular Chinese web service for email, chat, news, etc.)

VirusTotal analysis of the actual payloads shows that most A/V vendors (including our inline A/V solution) detect the malicious payloads dropped by the infected webservers:

Neither of these payloads attributed themselves to the "Cuteqq" team directly within the binary signature / authorship information.

WHOIS information for the two domains related to this incident show CN attribution:

form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.