Attacks on Gizmodo’s Brazilian site and the website of an unnamed logistics firm hosted by the same ISP have prompted Trend Micro to investigate whether “a vulnerability was used in order to penetrate the web servers,” according to a company blog post.
Attackers modified Gizmodo’s main page by adding a script that redirected users to a different compromised website hosted in Sweden.
The attackers gained control of the server by uploading a web shell. When victims open the compromised site, a malicious URL — with a fake (older version) Adobe Flash download page in Portuguese — is loaded.
The file is a backdoor, hosted by Google Drive, called BKDR_GRAFTOR.GHR. The logistics firm’s website was similarly compromised. Gizmodo Brazil has since removed the compromised code from its servers and Trend Micro has alerted Google to the malicious file on Google Drive.