Popular Brazilian Site “Porta dos Fundos” Hacked

A very well known Brazilian comedy site, “Porta dos Fundos,” was recently hacked and is pushing malware (drive-by-download) via a malicious Flash executable, as you can see from our Sitecheck results:

SiteCheck Found Malware on Porta dos Fundos
SiteCheck Found Malware on Porta dos Fundos

If you do not want the joke to be on you, do not visit this site (portadosfundos) until it has been cleaned.

The infection starts with malicious javascript injected at the top of the code, which loads content from another compromised site, www.gpro.co.mz:

Injected Code on Website Porta dos Fundos

This forces the browser to load a fake and malicious “FlashPlayer” executable that looks like a legitimate updater:

Malicious Fake Flash Player Updater - Found by Sucuri

According to our findings, the infection is aimed at Windows users running Internet Explorer. Also, the language of the fake yellow “Missing Plugin” alert bar at the top of the page is Brazillian, even for non-Brazillian IPs, which tells us that this is a targeted attack.

While the file is detected by a few Anti-Virus vendors already, not all of them are (especially the most popular AV engines):

VirusTotal Results

Note that the malicious script is encoded JavaScript, which injects a link to the installer and refreshes the browser, redirecting to the malicious file as the URL. This results in an attempt to automatically download the file. You can see the final injection decoded by our own Denis Sinegubko here:

Targeted Brazillian Drive-by-Download - Found by Sucuri

We’re performing further investigation and will update this blog post with new information if available.

You May Also Like