Mr Chow’s website serves up ransomware

Mr Chow’s website serves up ransomware

The website for popular fine Chinese cuisine “Mr Chow” restaurants has been hacked and is redirecting visitors to ransomware. This is not the first high profile culinary personality that has been involved in a security incident. Before Michael Chow, British Chef Jamie Oliver experienced several cases of website compromises himself.

A malicious script (pseudo Darkleech) injected directly into the website’s page is triggering the Neutrino exploit kit and will infect vulnerable systems with ransomware. The majority of website hacks are the result of outdated CMS software (WordPress, Joomla, Drupal, etc). We ran a scan of the site using Sucuri’s SiteCheck and discovered this was the case here as well, with a vulnerable installation of Drupal.

Traffic and exploit overview

There are currently two exploit kits with the lion’s share of compromised websites redirecting to malware: Neutrino EK via the pseudo Darkleech campaign, and RIG EK via the EITest campaign. Here we recognize the pseudo Darkleech pattern, with a simple iframe redirection.




The payload that unsuspecting users will receive is the CrypMIC ransomware which demanded 1.2 BT (roughly $695) at the time of posting.


Ransomware authors have been adding new features to make it more robust or more “user-friendly”. Below, we see a CAPTCHA users must enter in order to access their account page with further instructions, and even a “Help Desk” section where you can ask the criminals some questions (or get some feelings off your chest):



Malwarebytes Anti-Exploit users are protected against this attack before the ransomware component is even downloaded.

We have contacted the owner of the website about this incident and will update this article if we receive any response.


June 1, 2012 – The last time I checked with Google News this morning there were over 19,100,000 results for “flame malware”.  You may have heard many stories this week about this complex trojan. Here are links to three of my current personal favorite articles on “Flame”. Powerful ‘Flame’ cyberweapon tied to popular Angry Birds game – (Fox News)…

January 10, 2013 – URGENT: New Java Exploit being used to infect Updated Users. ACTION: Disable Java Browser Plugin using: DETAILS: As of yesterday, a new Java exploit has been developed and released to the cyber-crime community. It is currently in the wild and being used to distribute malware such as the Reveton Ransomware.

February 11, 2013 – Exploit Kits are a serious cyber threat today, estimated to be responsible for the vast percentage of malware infections worldwide.  Exploit kits distributed currently through both public and underground sources appeal to a wide range of audiences, from inexperienced hackers to seasoned “black hat” cybercriminals.  Perhaps you or someone you know may have heard about…

February 14, 2013 – URGENT: A few days ago a new zero-day vulnerability in Adobe Reader had surfaced.  Details below are on Adobe’s blog.

March 4, 2013 – Update: Oracle has addressed the exploit known as CVE-2013-1493 with an emergency patch.  You can read about this patch on Oracle’s blog here. URGENT: A few days ago we heard about yet another zero-day in Oracle Java from security firm FireEye.  The exploit targets java versions 6 and 7.  Details are

Threat Intel

via Malwarebytes Labs

August 31, 2016 at 05:26PM






Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: