The AlienVault Blogs: Taking On Today’s Threats
Latest

The most recent posts from across the AlienVault blogs.

Labs

Late-breaking discoveries and in-depth analysis.

How-To

Practical, how-to advice, tips and guidance.

Hot

Perspectives on trends and industry happenings.

U.S. Department of Labor website hacked and redirecting to malicious code

During the last few hours we have identified that one the U.S. Department of Labor website has been hacked and it is serving malicious code.

Clarification:

The website affected is the The Department of Labor (DOL) Site Exposure Matrices (SEM) Website 

“The Department of Labor (DOL) Site Exposure Matrices (SEM) Website is a repository of information gathered from a variety of sources regarding toxic substances present at Department of Energy (DOE) and Radiation Exposure Compensation Act (RECA) facilities covered under Part E of the Energy Employees Occupational Illness Compensation Program Act (EEOICPA)”

As you can see in the following UrlQuery report the website is including code from the malicious server dol[.]ns01[.]us:

Once you visit the website the following file is included:

www[.]sem[.]dol[.]gov/scripts/textsize.js that contains the following code:

 

 

The browser will then execute a script from the malicious server dol[.]ns01[.]us:8081/web/xss.php

 

 

http://labs.alienvault.com/labs/index.php/projects/open-source-ip-reputation-portal/information-about-ip/?ip=96.44.136.115

The script will collect a lot of information from the system and then it will upload the information collected to the malicious server. Some of the functions to collect information are:

flashver(): This function will collect information about the Flash software running on the system, including versions and OS details

 

 

bitdefender2012check() and disabledbitdefender_2012(): The function will try to determine if BitDefender is running on the system checking for the injected code (netdefender/hui/ndhui.js) on the HTML of the webpage and it will try to deactivate the AV.

 

 

avastcheck(): It checks if Avast Antivirus is running on the system detecting the presence of the Chrome extension:

 

 

aviracheck(): It checks if Avira Antivirus is running on the system detecting the presence of the Chrome extension:

 

 

java(): It collects information about Java versions running on the system

 

 

officever(): It collects information about Microsoft Office versions installed on the system

 

 

plugin_pdf_ie(): It detects if Adobe Reader is installed in the system calling Acrobat Reader’s ActiveX object:

 

 

jstocreate(): It detects if the system is running one of the following Antivirus:

  • avira
  • bitdefender_2013
  • mcafee_enterprise
  • avg2012
  • eset_nod32
  • Dr.Web
  • Mse
  • sophos
  • f-secure2011
  • Kaspersky_2012
  • Kaspersky_2013

 

 

Once all the information has been collected it sends the data to the following URL using a POST request:

dol[.]ns01[.]us:8081/web/js[.]php

An example of the information collected is as follow:

Shockwave Flash 11.6.602,No Java or Disable or user uninstall it(if plugins have java)!,Avast!,Shockwave Flash(Name:NPSWF32_11_6_602_180.dll{Ver:11.6.602.180}),AVG SiteSafety plugin(Name:npsitesafety.dll{Ver:14.2.0.1}),MindSpark Toolbar Platform Plugin Stub(Name:NP4zStub.dll{Ver:1.0.1.1}),TelevisionFanatic Installer Plugin Stub(Name:NP64EISb.dll{Ver:1.0.0.1}),MinibarPlugin(Name:npMinibarPlugin.dll{Ver:1.0.0.1}),Photo Gallery(Name:NPWLPG.dll{Ver:16.4.3505.912}),Yahoo Application State Plugin(Name:npYState.dll{Ver:1.0.0.7}),Silverlight Plug-In(Name:npctrl.dll{Ver:5.1.10411.0}),Microsoft Office 2010(Name:NPSPWRAP.DLL{Ver:14.0.4761.1000}),Microsoft Office 2010(Name:NPAUTHZ.DLL{Ver:14.0.4730.1010}),Microsoft® Windows Media Player Firefox Plugin(Name:np-mswmp.dll{Ver:1.0.0.8}),PDF-XChange Viewer(Name:npPDFXCviewNPPlugin.dll{Ver:2.5.200.0})

Some of the techniques used in this attack are very similar to the ones we identified a few months ago in an attack against a Thailand NGO website:

Thailand NGO site hacked and serving malware

After sending the information about the system the following request is also made:

dol[.]ns01[.]us:8081/update/index.php

After analyzing that file we found the following function:

 

 

If we decode the eval string we find:

 

 

After a quick analysis it seems the malicious server is exploiting CVE-2012-4792 that was fixed earlier this year. We are still verifying this information and we will give you more details when we confirm the vulnerability exploited is CVE-2012-4792.

Once the vulnerability is exploited the system will download the payload from dol[.]ns01[.]us:8081/update/bookmark.png:

 

 

After fixing the PE header we obtained the following PE file:

https://www.virustotal.com/en/file/ea80dba427e7e844a540286faaccfddb6ef2c10a4bc6b27e4b29ca2b30c777fb/analysis/

It has a detection rate of 2 / 46 at the time of writing this blog post.

Once the payload is executed:

- The malware will create a copy of itself in Documents and Settings\[CURRENT_USER]\Application Data\conime.exe

- It will create a registry key pointing to conime.exe on HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run conime to maintain persistence

- It will connect to a C&C on microsoftUpdate.ns1.name currently pointing to a Google DNS server 8.8.8.8.

An available on http://www.malwr.com shows that that the DNS name was previously pointing to:

173.254.229.176

 

 

https://malwr.com/analysis/YzUyMDk4M2M5YmM4NDgzNDllMDE5MWE1MDY4Y2I1MGM/

An analysis of the malware shows the payload is using the following GET requests to communicate with the C&C server:

/Photos/Query.cgi?loginid=[RANDOM_NUMBER]

The C&C protocol matches with a backdoor used by a known chinese actor called DeepPanda and described by CrowdStrike in the following analysis:

http://www.crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf

We are still investigating this attack and we will update the blog post if we obtain more information about it.

Happy hunting!

Next
Previous
Blog Home