U.S. Department of Labor website hacked and redirecting to malicious code

May 1, 2013 | Jaime Blasco
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

During the last few hours we have identified that one the U.S. Department of Labor website has been hacked and it is serving malicious code.

Clarification:

The website affected is the The Department of Labor (DOL) Site Exposure Matrices (SEM) Website 

“The Department of Labor (DOL) Site Exposure Matrices (SEM) Website is a repository of information gathered from a variety of sources regarding toxic substances present at Department of Energy (DOE) and Radiation Exposure Compensation Act (RECA) facilities covered under Part E of the Energy Employees Occupational Illness Compensation Program Act (EEOICPA)”

As you can see in the following UrlQuery report the website is including code from the malicious server dol[.]ns01[.]us:

domain_graph

Once you visit the website the following file is included:

www[.]sem[.]dol[.]gov/scripts/textsize.js that contains the following code:

 

Captura de pantalla 2013-05-01 a la(s) 13.47.17

 

The browser will then execute a script from the malicious server dol[.]ns01[.]us:8081/web/xss.php

 

Captura de pantalla 2013-05-01 a la(s) 15.11.14

The script will collect a lot of information from the system and then it will upload the information collected to the malicious server. Some of the functions to collect information are:

flashver(): This function will collect information about the Flash software running on the system, including versions and OS details

Captura de pantalla 2013-05-01 a la(s) 13.58.18

bitdefender2012check() and disabledbitdefender_2012(): The function will try to determine if BitDefender is running on the system checking for the injected code (netdefender/hui/ndhui.js) on the HTML of the webpage and it will try to deactivate the AV.

Captura de pantalla 2013-05-01 a la(s) 14.02.13

avastcheck(): It checks if Avast Antivirus is running on the system detecting the presence of the Chrome extension:

Captura de pantalla 2013-05-01 a la(s) 14.04.53

aviracheck(): It checks if Avira Antivirus is running on the system detecting the presence of the Chrome extension:

Captura de pantalla 2013-05-01 a la(s) 14.06.19

java(): It collects information about Java versions running on the system

Captura de pantalla 2013-05-01 a la(s) 14.08.23

officever(): It collects information about Microsoft Office versions installed on the system

Captura de pantalla 2013-05-01 a la(s) 14.10.37

plugin_pdf_ie(): It detects if Adobe Reader is installed in the system calling Acrobat Reader’s ActiveX object:

Captura de pantalla 2013-05-01 a la(s) 14.11.34

jstocreate(): It detects if the system is running one of the following Antivirus:

  • avira
  • bitdefender_2013
  • mcafee_enterprise
  • avg2012
  • eset_nod32
  • Dr.Web
  • Mse
  • sophos
  • f-secure2011
  • Kaspersky_2012
  • Kaspersky_2013

Captura de pantalla 2013-05-01 a la(s) 14.14.23

Once all the information has been collected it sends the data to the following URL using a POST request:

dol[.]ns01[.]us:8081/web/js[.]php

An example of the information collected is as follow:

Shockwave Flash 11.6.602,No Java or Disable or user uninstall it(if plugins have java)!,Avast!,Shockwave Flash(Name:NPSWF32_11_6_602_180.dll{Ver:11.6.602.180}),AVG SiteSafety plugin(Name:npsitesafety.dll{Ver:14.2.0.1}),MindSpark Toolbar Platform Plugin Stub(Name:NP4zStub.dll{Ver:1.0.1.1}),TelevisionFanatic Installer Plugin Stub(Name:NP64EISb.dll{Ver:1.0.0.1}),MinibarPlugin(Name:npMinibarPlugin.dll{Ver:1.0.0.1}),Photo Gallery(Name:NPWLPG.dll{Ver:16.4.3505.912}),Yahoo Application State Plugin(Name:npYState.dll{Ver:1.0.0.7}),Silverlight Plug-In(Name:npctrl.dll{Ver:5.1.10411.0}),Microsoft Office 2010(Name:NPSPWRAP.DLL{Ver:14.0.4761.1000}),Microsoft Office 2010(Name:NPAUTHZ.DLL{Ver:14.0.4730.1010}),Microsoft® Windows Media Player Firefox Plugin(Name:np-mswmp.dll{Ver:1.0.0.8}),PDF-XChange Viewer(Name:npPDFXCviewNPPlugin.dll{Ver:2.5.200.0})

After sending the information about the system the following request is also made:

dol[.]ns01[.]us:8081/update/index.php

After analyzing that file we found the following function:

Captura de pantalla 2013-05-01 a la(s) 14.33.09

If we decode the eval string we find:

Captura de pantalla 2013-05-01 a la(s) 14.34.54

After a quick analysis it seems the malicious server is exploiting CVE-2012-4792 that was fixed earlier this year. We are still verifying this information and we will give you more details when we confirm the vulnerability exploited is CVE-2012-4792.

Once the vulnerability is exploited the system will download the payload from dol[.]ns01[.]us:8081/update/bookmark.png:

Captura de pantalla 2013-05-01 a la(s) 14.39.24

After fixing the PE header we obtained the following PE file:

https://www.virustotal.com/en/file/ea80dba427e7e844a540286faaccfddb6ef2c10a4bc6b27e4b29ca2b30c777fb/analysis/

It has a detection rate of 2 / 46 at the time of writing this blog post.

Once the payload is executed:

- The malware will create a copy of itself in Documents and Settings\[CURRENT_USER]\Application Data\conime.exe

- It will create a registry key pointing to conime.exe on HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run conime to maintain persistence

- It will connect to a C&C on microsoftUpdate.ns1.name currently pointing to a Google DNS server 8.8.8.8.

Captura de pantalla 2013-05-01 a la(s) 15.00.35

An analysis of the malware shows the payload is using the following GET requests to communicate with the C&C server:

/Photos/Query.cgi?loginid=[RANDOM_NUMBER]

We are still investigating this attack and we will update the blog post if we obtain more information about it.

Happy hunting!

Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL