On Monday of this week Tre.it, the website of a major Italian cellular provider, served malware to visitors via drive-by downloads. The set of requests that began with a visit to the Tre.it index page and ended with the installation of malware is as follows.
hxxp://tre[.]it
-> hxxp://www[.]tre[.]it
–> hxxp://www[.]tre[.]it/res/js/adv/adv.js
—> hxxp://adv[.]tre[.]it/www/delivery/spc.php?zones=<…>
—-> hxxp://scream[.]padsandpalaces[.]com/js/ads/show_ads.js?ver=4
—–> hxxp://nissan[.]charubhashini[.]info:9290/updates/help/js/wifi.php?styles=343
——> hxxp://nn[.]rainbowthots[.]in:9290/style.php?howto=<…>
In the above chain, wifi.php?styles=343 contains obfuscated malicious content generated by a new variant of the Sweet Orange Exploit Kit. Included in the file is an exploit for CVE-2013-2551, which successfully compromised the browser in our URL analysis honeypot. Uploading the file to VirusTotal reveals that just 1 of 55 tools successfully identify the exploit as malicious.
As always, a PCAP capture file attesting to the details of this event is available via Threatglass.
Christine Barry is Senior Chief Blogger and Social Media Manager at Barracuda. In this role, she helps bring Barracuda stories to life and facilitate communication between the public and Barracuda internal teams. Prior to joining Barracuda, Christine was a field engineer and project manager for K12 and SMB clients for over 15 years. She holds several technology credentials, a Bachelor of Arts, and a Master of Business Administration. She is a graduate of the University of Michigan.
