Posted on behalf of Martin Lee, Senior Malware Analyst, Symantec Hosted Services

This sophisticated attack was recently intercepted by MessageLabs Intelligence. One
particularly interesting feature was the degree of preparation undertaken
by the attacker, and the fact that it involved two separate defense contractors.

The first step in the attack was for the attacker to gain unauthorised access
to the web site of Defense Contractor A and to create a fake 'press release'
directory. Into this newly created directory, the attacker uploaded a landing
page, a page of obfuscated Javascript containing an exploit and a malicious
binary.

The second step was for the attacker to research Defense Contractor B and
identify email addresses within that organisation. To these addresses the
attacker sent a series of emails purporting to be from a webmail address
reporting the arrest of Defense Contractor B's CEO for violating US export
regulations. These emails contained a link to the malicious landing page
within that fake press release directory hosted on Contractor A's genuine website.

The landing page tests for the browser of the visitor and serves a different exploit to the visitor based on whether or not they are using the Firefox browser.

In either case the attacker attempts to get the browser to download a second file from the
same website. This file contains two levels of obfuscated Javascript that
exploits the Microsoft Help vulnerability discovered on June 9th

 http://archives.neohapsis.com/archives/fulldisclosure/2010-06/0197.html

The obfuscated file downloads a file with a .txt extension, although it is actually a binary executable file. The malicious binary is downloaded within an iframe:

The second layer of obfuscated javascript when decoded executes the binary with the following command:

The malicious file then downloads further instructions.