Recently we came across a new variant of the malware ServStart. ServStart is primarily used by attackers located in China, in a mix of targeted and opportunistic attacks. The attackers are hosting the ServStart malware on a file server that is open for anyone to view.
The open file server at http://222.186.11[.]182:9999
The Rar Archive
One of the files on the server, 11.rar, contains this batch script:
The file 哈迪斯技术组ARP工具(Hades Technology Group ARP Tools).bat
Zxarps - An ARP Spoofing Tool
This batch script executes a tool known as zxarps (https://github.com/sincoder/zxarps). Zxarps is an ARP spoofing tool that has been publicly available for over ten years.
It’s a fairly unusual tool, though familiar to anyone who played with hacking tools like Cain and Abel decades ago. ARP spoofing can be used to redirect traffic to an attacker controlled server.
A description of ARP spoofing, from Wikipedia
A report from 2014 for an attack involving CVE-2014-6332 describes how an attacker might use zxarps well:
“This malware performs ARP spoofing on the network to cause other systems to route their traffic through the infected system, and inject a malicious IFRAME into webpages.”
The ARP spoofing attack can work in both directions. If a web-host is compromised, zxarps can be used to insert malicious code into other sites on the same web-host. A report from way back in 2009 describes attacks that operated this way:
Potentially infected sites
All this.. Just to insert adverts for a Casino
Reviewing the injected code indicates it isn’t being used to serve malware, but simply to serve adverts for a Chinese casino:
If you’re reviewing malvertising on a website, and aren’t sure how it got there, this is another technique to consider.
Indicators of Compromise
Malicious files on the fileserver
You can view these indicators in AlienVault OTX