The Tibetan Alliance of Chicago hit by cyber waterholing attack

Websense Security Labs™ ThreatSeeker® Intelligence Deject has detected that the website of the Tibetan Brotherhood of Chicago has been compromised to serve malicious code.

In the concluding 2 days, the BBC website reported news about a waterholing set on against the Central Tibetan Administration website. Over the last ii years, attacks similar these accept targetted pro-Tibet websites and other man rights organizations effectually the world. A waterholing assault is one that targets users of specific websites with the aim to install malware on their systems (ordinarily using a backdoor approach) to collect documents, electronic mail contacts, social contacts, and passwords. The frequency of these attacks prompted Websense Security Labs to bank check our commonage threat intelligence for any other websites that are considered pro-Tibet to see if they are affected by this kind of attack.

In this weblog we’re going to analyze the Tibetan Alliance of Chicago website and illustrate how waterholing attacks are conducted.

Ane of the trends with targeted attacks in the concluding few years is that any installed malware binaries connect to dynamic DNS websites. I of the most interesting aspects of this specific attack is that a successful exploit downloads a binary that connects to a small Dynamic DNS service offered past none other than a High german-based security appliances and services company, which reaffirms the notion that perpetrators pick and choose the parts of their attack infrastructure.

Although the website does not have a loftier Alexa rank, we thought it was worth consideration, because our analysis concluded that it wasn’t a scattered set on, only a targeted injection to infect the users of that website. The website has been injected with two malicious iFrames as shown below:

Malware

We started to investigate the content of these two links in a higher place. The first (hxxp://78.129.252.195/images/Adobe/alphabetize.html) contains another iFrame that leads to a Firefox plugin named “Adobe Flash Player.xpi,” although at the time of the analysis, the plugin wasn’t bachelor:

Payload

When nosotros used Threatseeker to search for other instances of “Adobe Wink Player xpi,” we detected other malicious websites, so we deduced that the aim of this iFrame was to effort to install a malicious plugin using social engineering science techniques. The second link (hxxp://78.129.252.195/index.html) caught our attention, because it seems to exist malicious code exploiting the vulnerability CVE-2012-4969 every bit shown beneath:

CVE

The code highlighted above shows some other iframe that leads to hxxp://78.129.252.195/yRrztX.html with the following content:

Paylaod

From this, we could see the code used to trigger the Cyberspace Explorer vulnerability addressed as CVE-2012-4969 and spotted in other targeted attacks by a security researcher hither in September 2012. The code within the page “index.html” uses the “heap spray” mechanism to run shellcode if the exploiting effort succeeds. The post-obit is the snippet of code that has been assigned the shellcode:

CVE

Once the shellcode is executed, it downloads and runs a malicious file on the compromised organisation. The shellcode appears to exist using the Windows default user-agent ‘wininet’ to retrieve the malicious file, which in itself can be considered suspicious, considering nosotros don’t unremarkably encounter many legitimate HTTP requests that use this agent. We do see this user-agent being used past legitimate software, simply it’s non predominant.

Post-obit is the Fiddler’southward session where yous can see the binary file that was downloaded:

Malware

Analyzing the dynamic behavior of the malicious executable, you can detect a first telephone call to the command-and-control point atmail service.firewall-gateway.comlocated in the United Kingdom:

Firewall

We conducted a quick investigation well-nigh the domain “firewall-gateway.com,” and it appears to be mantained by the German service provider, Securepoint, that specializes in provisioning secure VPN endpoints and other kinds of network services offerings. This is what nosotros saw from the WHOIS tape:

Firewall:

In one of Securepoint’southward support forums, the announcement of the availability of a dynamic DNS service is however shown. The service appears to exist bachelor at this address. We believe information technology’due south an attempt to remain covert, considering it is non by hazard that the perpetrators chose their command-and-command indicate to exist reached through a dynamic DNS service associated with a security company.

DNS

The detection charge per unit of the binary file seems very low as reported by Virustotal. From a brief static analysis of the malicious binary file, you can detect a list of strings used to check the presences of Antivirus on the impacted system:

AntiVirus

The binary file has a low AV rate detection rate, every bit reported by this Virustotal report.

In this blog we gave a cursory example of what seems to exist a waterholing attack that is aimed for a specific crowd, in this case, pro-Tibet users. We believe that the complexity of such attacks lies in direct relation to the security measures that are employed past the potential targets, in this case the set on isn’t that complex but probably just plenty to fulfill its ultimate purpose.

Websense customers are protected from injected websites and the different stages of this threat with our Advanced Nomenclature Engine – ACE.

Source: https://www.forcepoint.com/blog/x-labs/tibetan-alliance-chicago-hit-cyber-waterholing-attack

Check Also

Will Dogecoin Go Up In Value

Will Dogecoin Go Up In Value

On Dec. 6, 2013, Billy Markus and Jackson Palmer decided to combine their dearest of …