Sweet Orange at phoenixareaspecialists[.]com

phoenixareaspecialists-

  • Injected iframe* loads landing page located at dbgpvlxy.sytes[.]net:12601 /sql/gentoo.php?deals=82
    (copy of landing page for your review: [pastebin])
  • Landing page loads malicious jar file from: dbgpvlxy.sytes[.]net:12601 /sql/teQMpowa.jar
    (In this case only the .jar file was delivered. Requests for the .jnlp file failed).
  • Encoded payload after successful exploit(note different subdomain): ngoydafv.sytes[.]net:12601 /version.php?back=300&meta=4&asia=664&courses=171&site=751&left=119&icons=7&title=131&radio=519&specials=2102441894

At the time of this encounter both of the above domains were at IP 95.163.121.171.
Passive DNS show a number of suspect domains registered with this IP: http://www.bfk.de/bfk_dnslogger.html?query=95.163.121.171#result

POST traffic to base.mustangnation[.]org /guardingfg/forum.php with fake User-Agent of Mozilla/4.0 with Content-Type: application/octet-stream and Vary: User-Agent observed after the successful binary download.

phoenixareaspecialist-post

Also observed GET requests for /pl/bor.mod and /pl/pon.mod from base.dynastyspirits[.]com
These appear to be PKzipped files but I haven’t yet had the opportunity to further examine them and VirusTotal reports zero detections (see below).

phoenixareaspecialist-bor-mod

Both base.mustangnation[.]org and base.dynastyspirits[.]com were at IP 130.0.238.26 when this encounter occurred.

VT:
teQMpowa.jar:
https://www.virustotal.com/en/file/43e0d2d9f65ba76ac1a027de33c6a5463ad54152c54a9035b07c6e480d557404/analysis/1380876246/
bor.mod:
https://www.virustotal.com/en/file/977720b8d477bc9dde462927b6365f9ac8c7aabdf416d2065fda4760ca6b97d1/analysis/1380876300/
pon.mod:
https://www.virustotal.com/en/file/dbde38b8f3636b0c17f89a94650a17b334694e2a79aa25f1c7ec0583b63a748e/analysis/1380876372/

*This appears to be related to the iframe campaign recently reported by Sucuri.