Is Philippine Bureau of Immigration website compromised, hosting malware?

According to Websense Security Labs™ and the Websense ThreatSeeker® Network, they have detected malicious emails disguised as HSBC Notifications.  A closer look at these emails, like the one you can see below, reveals that the link provided in the emails is a compromised URL belonging to the Philippine Bureau of Immigration.

Clicking the link prompts the user to download a malicious file called "atualizar.exe".

The Philippine Bureau of Immigration is using Joomla as their CMS and there is a file named “atualizar.php” which is a Portuguese word and translate to “update.php”. 

The file was probably replaced or inserted maliciously. This link “http://immigration.gov.ph/administrator/components/com_media/old/atualizar.php” if you hit it, the HTTP response status code is 302 which is the most common way of performing a redirection. It redirect to “http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe” which probably contain the actual payload…

   1:  

   2: [kramfs@viasvr temp]$ wget http://immigration.gov.ph/administrator/components/com_media/old/atualizar.php

   3: --2011-08-10 

   4: 17:15:03-- http://immigration.gov.ph/administrator/components/com_media/old/atualizar.php

   5: Resolving 

   6: immigration.gov.ph... 124.6.144.116

   7: Connecting to 

   8: immigration.gov.ph|124.6.144.116|:80... connected.

   9: HTTP request sent, 

  10: awaiting response... 302 Found

  11: Location: http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe 

  12: [following]

  13: --2011-08-10 17:15:04-- http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe

  14: Reusing 

  15: existing connection to immigration.gov.ph:80.

  16: HTTP request sent, awaiting 

  17: response... No data received.

  18: Retrying.

  19: --2011-08-10 17:15:05-- (try: 2) http://immigration.gov.ph/administrator/components/com_media/old/atualizar.exe

  20: Connecting 

  21: to immigration.gov.ph|124.6.144.116|:80... connected.

  22: HTTP request sent, 

  23: awaiting response... 200 OK

  24: Length: 699460 (683K) 

  25: [application/x-msdos-program]

  26: Saving to: âatualizar.exeâ

  27: 100%[============================================================================>] 

  28: 699,460 63.4K/s in 12s

  29: 2011-08-10 17:15:17 (57.2 KB/s) - âatualizar.exeâ

 

Trend Micro flag this file as malicious….

image

You can find the VirusTotal analysis results for this .exe as it is detected by different AV solutions.

Source Reference: Websense Security Labs

3,810 Comments

  1. Pingback: Horizontal Shade Zebra Blind Window Roller Custom Cut Size Woodlook Curtain

  2. Pingback: Oil Proof Window Blackout Curtains Customize Size High Quality Easy Installation

  3. timex wearers

    I pay a quick visit every day a few sites and information sites to read
    articles, but this web site gives quality based writing.

    Reply
  4. ordinary travel

    No matter if some one searches for his vital thing,
    thus he/she wishes to be available that in detail,
    so that thing is maintained over here.

    Reply
  5. soccer shoes

    Hello, i read your blog from time to time and i own a similar one and i was just curious if you get a
    lot of spam feedback? If so how do you prevent it, any plugin or anything you can recommend?
    I get so much lately it’s driving me insane so any support is very
    much appreciated.

    Reply
  6. Pingback: Online Password Generator

  7. Pingback: Win mod scamble

  8. Pingback: fastest news Nigeria

  9. Pingback: nhà t?i nguy?n phong s?c

  10. Pingback: Iphone5s qt

  11. Pingback: intel core i7-8700k ultra edition

  12. Pingback: Make money online at home

  13. Pingback: healthy beverages for kids

  14. Pingback: Iphone 6 plus gold b?n qu?c t? 99% ko l?i l?m

  15. Pingback: baby bibs for girls

  16. Pingback: Digestive enzyme supplements

  17. Pingback: water drink mixes

  18. Pingback: holdforløb golf

  19. Pingback: b? máy tính chÆ¡i game..làm vi?c.

  20. Pingback: bedroom decoration

  21. Pingback: dubai lifestyle app

  22. Pingback: dubai lifestyle app

  23. Pingback: bathroom accessories

  24. Pingback: net

  25. Pingback: Samsung GT-I8262

  26. Pingback: bathroom ornaments

  27. Pingback: center

  28. Pingback: blue bathroom accessories

  29. Pingback: food containers with lids

  30. Pingback: survival food supply

  31. Pingback: water bottle insulated

  32. Pingback: LG V20 Xám

  33. music studio desk

    very good publish, i certainly love this website, carry on it

    Reply
  34. Pingback: Iceland Guesthouse

  35. Pingback: dumpster delivery

  36. Pingback: revitol stretch mark cream reviews

  37. lelio vieira carneiro junior

    Quality articles or reviews is the main to invite the viewers to pay a quick visit the website, that’s what this site is providing.|

    Reply
  38. Pingback: need a dumpster

  39. Pingback: adding machine

  40. Pingback: men clothing

  41. Pingback: best dumpster rental

  42. Pingback: best roofing material

  43. Pingback: teeth whitening kit

  44. Pingback: Computer 24x7

  45. Pingback: copper roofs

  46. Pingback: Best Deals on Computer Laptops and Desktops

  47. Pingback: iphone app developer

  48. phones allow

    Thanks for the good writeup. It in reality used to
    be a entertainment account it. Glance advanced to
    far brought agreeable from you! By the way, how could we communicate?

    Reply
  49. Pingback: FIT2

  50. Pingback: app development firm

Leave a Comment

Your email address will not be published. Required fields are marked *