Our honeypots discovered a compromise on TeamSpeak's, a company specializing in high-quality voice communication over the Internet, Brazilian forum.
The exploit redirects traffic to an exploit kit (DotCache) landing page as illustrated below (click to enlarge):
Fiddler capture showing infection workflow
The trail starts with code injected into the forum's page:
In fact, this infection looks familiar and was described in details by Kahu Security on a similar forum hack.
As with many other cases, reconstructing the attack involves looking at all the hops, and in this example we have two additional redirects:
That first one (see above) goes to mumeo[dot]biz which should ring a bell if you follow the exploit kit ecosystem. Finally, we arrive at the final destination, the exploit kit landing pages hosted on atvisti[dot]ro:
The site houses a forum for ATV enthusiasts and has also been compromised. The landing page shows an interesting blurb identified by Kahu Security as JJencode code:
Following the guidelines from Kahu Security's post, we can reverse engineer this gibberish into human readable code:
Now we know what is going on: it is preparing a Java exploit:
If the Java exploit succeeds the final payload is loaded. In this particular example, the payload was the Zero Access Trojan which Malwarebytes Anti-Malware detects as Rootkit.0Access.
As always, it is better to prevent the infection from happening in the first place. Malwarebytes Anti-Exploit can proactively detect and block the Java exploit on-the-fly, stopping the drive-by download in its tracks.
We have reached out to TeamSpeak's Brazilian forum and hope they can clean the site as well as fix the vulnerability promptly to avoid further infections.
Jerome Segura (@jeromesegura) is a senior security researcher at Malwarebytes.