Combination Exploit and Spam ..."cinesc.com.br", "illusionfest.ru", "mp3musicsool.ru" and "qajtogap.cn"

New combination attack vector unveil, http://cinesc.com.br/ddjg.html website contain redirect link to spam's Canadian Pharmacy (qajtogap.cn) and contain obfuscated iframe link using DOM to redirect exploit sitehttp://illusionfest.ru/coperfild.html.

Figure 1 http://cinesc.com.br/ddjg.html


Figure 2 qajtogap.cn


Figure 3: Decode


Copy below link and replace symbol "#", "@" and "!" with blank and will end result like figure 4 and unescape to get link showed in figure 5
#%@!6!8!#%@!7!4!#%@!7!4!#%@!7!0!#%@!3!a!#%@!2!f!#%@!2!f!#%@!6!9!#%@!6!c!#%@!6!c!#%@!7!5!#%@!7!3!#%@!6!9!#%@!6!f!#%@!6!e!#%@!6!6!#%@!6!5!#%@!7!3!#%@!7!4!#%@!2!e!#%@!7!2!#%@!7!5!#%@!2!f!#%@!6!3!#%@!6!f!#%@!7!0!#%@!6!5!#%@!7!2!#%@!6!6!#%@!6!9!#%@!6!c!#%@!6!4!#%@!2!e!#%@!6!8!#%@!7!4!#%@!6!d!#%@!6!c!

Figure 4 Unicode



Figure 5 exploit links http://illusionfest.ru/coperfild.html

http://illusionfest.ru/coperfild.html

Level 1: http://illusionfest.ru/sobolinghel.html

Level 2: http://mp3musicsool.ru/travel/index.php

Level 3: http://mp3musicsool.ru/travel/inEthicsIs.pdf

Level 3: http://mp3musicsool.ru/travel/bcWebSimply.swf

Level 4: http://mp3musicsool.ru/travel/update.php

Few potential suspicious domaisn using mp3musicsool.ru as nameserver under another name:

daratop.cn

dcn5100.com

degunter.cn

dresstott.cn

google-anallytics.cn (211.95.78.98)

killxp.cn

orzsystem.cn

vkreinting.cn

xuyloknite.com.cn

yahoo-robots.cn (211.95.78.98)

Visiting to that website is enough to infect your systems especially if visitors don't have latest Acrobat Reader and SWF Flash. Javascript embedded within the pdf or flash file will cause to download malicious executable file from http://mp3musicsool.ru/travel/update.php (Unable to download). For information, the pdf file will exploit Adobe util.pritf and Adobe getIcon function.


..the end