The malware domain was hosting an exploit for MS12-043 Microsoft XML Core Services MSXML Uninitialized Memory Corruption. More details can be read here: MS12-043. Without any surprise, the IP address of that domain belonged to China as shown below:
The exploit for this vulnerability can be found in Metasploit here: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/msxml_get_definition_code_exec.rb.
A simple check on the one of the code snippet used in the malware domain and legitimate Metasploit repository is shown below:
The exploit code was used in conjunction with the JS code hosted here: http://js.users.51.la/15240615.js.
This code dynamically generates the information about the visitor and creates log details for statistical purposes.
We remember that a few traces have been detected earlier where Phoenix exploit kit used the one of the same exploit present in the Metasploit. Refer: Gangsterware.
The conclusive points are:
- Metasploit provides neat exploits which are easy to deploy and use.
- The evidence shows that malware authors are using Metasploit exploits.
Well, Reality bites !