Once again, eCriminals took advantage of a legitimate and popular website as an attack vector for the purpose of propagating Malweb. Layla.co.il, a popular nightlife website in Israel, was compromised by eCriminals and is serving up a malicious bot to its visitors.


Image 1: Entries in our AID (Attack Intelligence Datacenter) indicating that layla.co.il contains MalWeb.

A hidden IFrame tag has been injected in all pages under “campaign” directory. The IFrame loads a malicious page which will attempt to download and execute a Trojan using one of the following exploits:
1. Microsoft Access Snapshot Viewer ActiveX Control Exploit
2. SWF Exploit
3. PDF Exploit

The downloaded malware executable is a bot instructed to download a rootkit which will function as a sort of keeper for it. The rootkit installs itself as a service named: “DCOM Server Process Launcher DcomLaunchMessenger”.

To evade detection, this Trojan prevents a long list of Antivirus and security applications from running.

Once the bot is launched, it sends some information to its C&C (Command and Control) system hosted at a Ukrainian server.

More than 200000 machines worldwide have been infected by this attack so far; each infected machine joins an army of botnet zombie machines ready to be controlled by eCriminals to launch cyber attacks. The following is a map showing the distribution of infected machines.


Image 2: A distribution map showing the locations of machines infected by the attack.