U.S. Department of Labor website hacked and redirecting to malicious code

2013-05-05 00:23:07 14 3417
During the last few hours we have identified that one the U.S. Department of Labor website has been hacked and it is serving malicious code.

Clarification:

The website affected is the The Department of Labor (DOL) Site Exposure Matrices (SEM) Website

“The Department of Labor (DOL) Site Exposure Matrices (SEM) Website is a repository of information gathered from a variety of sources regarding toxic substances present at Department of Energy (DOE) and Radiation Exposure Compensation Act (RECA) facilities covered under Part E of the Energy Employees Occupational Illness Compensation Program Act (EEOICPA)”

As you can see in the following UrlQuery report the website is including code from the malicious server dol[.]ns01[.]us:

Once you visit the website the following file is included:

www[.]sem[.]dol[.]gov/scripts/textsize.js that contains the following code:



The browser will then execute a script from the malicious server dol[.]ns01[.]us:8081/web/xss.php


http://labs.alienvault.com/labs/index.php/projects/open-source-ip-reputation-portal/information-about-ip/?ip=96.44.136.115

The script will collect a lot of information from the system and then it will upload the information collected to the malicious server. Some of the functions to collect information are:

flashver(): This function will collect information about the Flash software running on the system, including versions and OS details


bitdefender2012check() and disabledbitdefender_2012(): The function will try to determine if BitDefender is running on the system checking for the injected code (netdefender/hui/ndhui.js) on the HTML of the webpage and it will try to deactivate the AV.

avastcheck(): It checks if Avast Antivirus is running on the system detecting the presence of the Chrome extension:

aviracheck(): It checks if Avira Antivirus is running on the system detecting the presence of the Chrome extension:


java(): It collects information about Java versions running on the system

officever(): It collects information about Microsoft Office versions installed on the system



plugin_pdf_ie(): It detects if Adobe Reader is installed in the system calling Acrobat Reader’s ActiveX object:


jstocreate(): It detects if the system is running one of the following Antivirus:

avira
bitdefender_2013
mcafee_enterprise
avg2012
eset_nod32
Dr.Web
Mse
sophos
f-secure2011
Kaspersky_2012
Kaspersky_2013



Once all the information has been collected it sends the data to the following URL using a POST request:

dol[.]ns01[.]us:8081/web/js[.]php
An example of the information collected is as follow:

Shockwave Flash 11.6.602,No Java or Disable or user uninstall it(if plugins have java)!,Avast!,Shockwave Flash(Name:NPSWF32_11_6_602_180.dll{Ver:11.6.602.180}),AVG SiteSafety plugin(Name:npsitesafety.dll{Ver:14.2.0.1}),MindSpark Toolbar Platform Plugin Stub(Name:NP4zStub.dll{Ver:1.0.1.1}),TelevisionFanatic Installer Plugin Stub(Name:NP64EISb.dll{Ver:1.0.0.1}),MinibarPlugin(Name:npMinibarPlugin.dll{Ver:1.0.0.1}),Photo Gallery(Name:NPWLPG.dll{Ver:16.4.3505.912}),Yahoo Application State Plugin(Name:npYState.dll{Ver:1.0.0.7}),Silverlight Plug-In(Name:npctrl.dll{Ver:5.1.10411.0}),Microsoft Office 2010(Name:NPSPWRAP.DLL{Ver:14.0.4761.1000}),Microsoft Office 2010(Name:NPAUTHZ.DLL{Ver:14.0.4730.1010}),Microsoft® Windows Media Player Firefox Plugin(Name:np-mswmp.dll{Ver:1.0.0.8}),PDF-XChange Viewer(Name:npPDFXCviewNPPlugin.dll{Ver:2.5.200.0})

Some of the techniques used in this attack are very similar to the ones we identified a few months ago in an attack against a Thailand NGO website:

Thailand NGO site hacked and serving malware


After sending the information about the system the following request is also made:

dol[.]ns01[.]us:8081/update/index.php

After analyzing that file we found the following function:

If we decode the eval string we find:


After a quick analysis it seems the malicious server is exploiting CVE-2012-4792 that was fixed earlier this year. We are still verifying this information and we will give you more details when we confirm the vulnerability exploited is CVE-2012-4792.

Once the vulnerability is exploited the system will download the payload from dol[.]ns01[.]us:8081/update/bookmark.png:


After fixing the PE header we obtained the following PE file:

https://www.virustotal.com/en/file/ea80dba427e7e844a540286faaccfddb6ef2c10a4bc6b27e4b29ca2b30c777fb/analysis/

It has a detection rate of 2 / 46 at the time of writing this blog post.

Once the payload is executed:

- The malware will create a copy of itself in Documents and Settings\[CURRENT_USER]\Application Data\conime.exe

- It will create a registry key pointing to conime.exe on HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run conime to maintain persistence

- It will connect to a C&C on microsoftUpdate.ns1.name currently pointing to a Google DNS server 8.8.8.8.

An available on malwr.com shows that that the DNS name was previously pointing to:

173.254.229.176


https://malwr.com/analysis/YzUyMDk4M2M5YmM4NDgzNDllMDE5MWE1MDY4Y2I1MGM/

An analysis of the malware shows the payload is using the following GET requests to communicate with the C&C server:

/Photos/Query.cgi?loginid=[RANDOM_NUMBER]

The C&C protocol matches with a backdoor used by a known chinese actor called DeepPanda and described by CrowdStrike in the following analysis:

http://www.crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf

We are still investigating this attack and we will update the blog post if we obtain more information about it.

Happy hunting!

关于作者

Cond0r136篇文章1277篇回复

评论14次

要评论?请先  登录  或  注册