On Monday of this week Tre.it, the website of a major Italian cellular provider, served malware to visitors via drive-by downloads. The set of requests that began with a visit to the Tre.it index page and ended with the installation of malware is as follows.
In the above chain, wifi.php?styles=343 contains obfuscated malicious content generated by a new variant of the Sweet Orange Exploit Kit. Included in the file is an exploit for CVE-2013-2551, which successfully compromised the browser in our URL analysis honeypot. Uploading the file to VirusTotal reveals that just 1 of 55 tools successfully identify the exploit as malicious.