Feedburner Hosting Malicious JavaScript Dropper

Type threatpost
Reporter Brian Donohue
Modified 2014-01-02T21:16:05


A sub-domain of Google’s Feedburner RSS management platform is hosting a string of malicious JavaScript embedded with an iFrame, all of which is designed to upload a Trojan onto user machines and redirect visitors to a series of malicious sites.

According to a report published by the security firm Zscaler, the initial infection page is hxxp://feeds.feedburner[.]com/bileblo. The site reportedly contains a bit of obfuscated JavaScript that further conceals an iFrame. This page drops the JavaScript Trojan. Once a visitor’s browser de-obfuscates the JavaScript, triggers the iFrame, and receives the Trojan, the victim machine is redirected to one then another malicious website.

The purpose of the Trojan, identified by Zscaler as JS/Exploit-Blacole.em, is simply to redirect users to other sites. The immediate redirection leads to hxxp://rsnvlbgcba.ibiz.cc/d/404.php?go=1 and then on to hxxp://fukbb.com/.

An examination of the initial redirect’s source code revealed that the site is merely a stepping stone that leads users to the second redirect. Oddly, the final destination site does not host any malicious content at the moment. However, a VirusTotal analysis performed by Zscaler and Threatpost suggests that the site is a suspicious one that has been associated with malware-related activities in the past.

“We continue to see similar infections using malicious JavaScript injected into legitimate sites to redirect users to malicious sites on a daily basis,” Zscaler researcher Pradeep Kulkarni writes. “Most of the time the infected sites haven’t specifically been targeted, but have become infected during larger attacks conducted using browser exploit kits designed to automate the infection of as many sites as possible.”