On Monday of this week Tre.it, the website of a major Italian cellular provider, served malware to visitors via drive-by downloads. The set of requests that began with a visit to the Tre.it index page and ended with the installation of malware is as follows.
hxxp://tre[.]it
-> hxxp://www[.]tre[.]it
–> hxxp://www[.]tre[.]it/res/js/adv/adv.js
—> hxxp://adv[.]tre[.]it/www/delivery/spc.php?zones=<…>
—-> hxxp://scream[.]padsandpalaces[.]com/js/ads/show_ads.js?ver=4
—–> hxxp://nissan[.]charubhashini[.]info:9290/updates/help/js/wifi.php?styles=343
——> hxxp://nn[.]rainbowthots[.]in:9290/style.php?howto=<…>
In the above chain, wifi.php?styles=343 contains obfuscated malicious content generated by a new variant of the Sweet Orange Exploit Kit. Included in the file is an exploit for CVE-2013-2551, which successfully compromised the browser in our URL analysis honeypot. Uploading the file to VirusTotal reveals that just 1 of 55 tools successfully identify the exploit as malicious.
As always, a PCAP capture file attesting to the details of this event is available via Threatglass.