Researchers from Microsoft’s Malware Protection Center came across a social welfare website that was hacked and modified to serve visitors a piece of malware each time they think they download a useful document.
The site in question is from Romania and it shows up among the first results in search engines when Internet users look for “asistenta sociala,” a term that translates to “social welfare.”
The hackers that compromised the site replaced all the documents that people download with malicious executable files, but the most worrying fact is that the .exe files are cleverly set up to have Microsoft Office icons, making them less suspicious.
Furthermore, once the executable is run, it drops the real document, making everything look even more legitimate. Along with the genuine document, a file called open_file.bat
is also placed in the Temporary Files
folder, this element being responsible for the rest of the malicious actions.
Judging by the actions performed by the Trojan, identified as Trojan:BAT/Delosc.A
, this attack is designed to target Romanian institutions that use certain software applications, including Indaco and Aplxpert, two very popular applications in local organizations.
Its purpose is to look for certain strings in file names, mainly related to invoices and other keywords specific to these programs, and then delete all the files that match the criteria, resulting in the loss of highly valuable information.
These sorts of malicious operations can be used in any country in corporate espionage and sabotage campaigns, which is why users, especially those handling sensitive information, are advised to double check the files they download, even from trusted sites.
Also, antivirus applications are a great way to prevent any unfortunate incidents, since security solutions providers usually do a decent job in keeping up with the latest threats.