Our friends at Zscaler has blogged about a website compromise involving Karnataka Vikas Grameena Bank (KVGB), a prominent regional rural bank in India, last February of this year. It then housed a malicious JavaScript (JS) code that redirects visitors to another domain that was believed to be malicious at one point. The code had been found to be “multilevel obfuscated”. Also according to the entry, they have informed the said bank about the code injected on their website.
As of 11:05PM (GMT–4:00) of August 25, six months after the said blog is published, GFI Senior Exploit Analyst Francesco Benedini is alerted about KVGB still housing obfuscated JS code. Below is the screenshot of the code found on the site:
(click to enlarge)
After deobfuscation, Benedini has determined that the supposedly malicious domain is inactive, thus, poses no threat to bank site visitors. The script, however, is working. We detect the malicious code as Trojan-Downloader.JS.Twettir.a (v), and VirusTotal shows a 24/43 detection ratio across all AV companies.
Our experts have also pointed out that the attack is related to the MBR rootkit (Trojan-Spy.Madlo) we generally know as Sinowal / Mebroot. This is because (1) the obfuscation technique used in this attack is reminiscent of the technique used by Sinowal, and (2) the structure of the inactive URL follows the one seen in Sinowal infection campaigns.
GFI is currently attempting to reach KVGB in order to help them clean up their website.
Jovi Umawing (Thanks to Adam Thomas for additional information)