Trojan:JS/Iframe.AP

Trojan:JS/Iframe.AN is a detection numerous variants of a malicious JavaScript that is embedded as an IFrame in compromised web pages, usually via SQL injection attacks, or through Blackhat search engine optimization (SEO) poisoning.

Installation

This trojan script is encountered when visiting a compromised web site that contains the JavaScript.

Payload

Redirects web browsing

When opened in a web browser, the trojan redirects the browser to another site. In the wild, this trojan redirects web browsers to domains such as the following:

• oorqqqq.cx.cc/<removed>.php?page=969843cfdd53ba77
• testosploitron.cx.cc/<removed>.php?tp=b25a5b48ad494d60
• vasyamefik.co.cc/<removed>.php?page=d993a3edfa60805b
• kennymccormick.in/<removed>.php?tp=f49b79d41454ff39
• ads2.name/<removed>.cgi?advert_id=1&banner_id=1&chid=341aa8fca26bcff7830499c1c5f8e359

At the time of this writing, the trojan-requested URLs were unavailable for analysis.

Analysis by Hyun Choi