U.S. Department of Labor website hacked and redirecting to malicious code

May 1, 2013 | Kate Brew

During the last few hours we have identified that one the U.S. Department of Labor website has been hacked and it is serving malicious code.

Clarification:

The website affected is the The Department of Labor (DOL) Site Exposure Matrices (SEM) Website 

“The Department of Labor (DOL) Site Exposure Matrices (SEM) Website is a repository of information gathered from a variety of sources regarding toxic substances present at Department of Energy (DOE) and Radiation Exposure Compensation Act (RECA) facilities covered under Part E of the Energy Employees Occupational Illness Compensation Program Act (EEOICPA)”

As you can see in the following UrlQuery report the website is including code from the malicious server dol[.]ns01[.]us:

domain_graph

Once you visit the website the following file is included:

www[.]sem[.]dol[.]gov/scripts/textsize.js that contains the following code:

 

Captura de pantalla 2013-05-01 a la(s) 13.47.17

 

The browser will then execute a script from the malicious server dol[.]ns01[.]us:8081/web/xss.php

 

Captura de pantalla 2013-05-01 a la(s) 15.11.14

The script will collect a lot of information from the system and then it will upload the information collected to the malicious server. Some of the functions to collect information are:

flashver(): This function will collect information about the Flash software running on the system, including versions and OS details

Captura de pantalla 2013-05-01 a la(s) 13.58.18

bitdefender2012check() and disabledbitdefender_2012(): The function will try to determine if BitDefender is running on the system checking for the injected code (netdefender/hui/ndhui.js) on the HTML of the webpage and it will try to deactivate the AV.

Captura de pantalla 2013-05-01 a la(s) 14.02.13

avastcheck(): It checks if Avast Antivirus is running on the system detecting the presence of the Chrome extension:

Captura de pantalla 2013-05-01 a la(s) 14.04.53

aviracheck(): It checks if Avira Antivirus is running on the system detecting the presence of the Chrome extension:

Captura de pantalla 2013-05-01 a la(s) 14.06.19

java(): It collects information about Java versions running on the system

Captura de pantalla 2013-05-01 a la(s) 14.08.23

officever(): It collects information about Microsoft Office versions installed on the system

Captura de pantalla 2013-05-01 a la(s) 14.10.37

plugin_pdf_ie(): It detects if Adobe Reader is installed in the system calling Acrobat Reader’s ActiveX object:

Captura de pantalla 2013-05-01 a la(s) 14.11.34

jstocreate(): It detects if the system is running one of the following Antivirus:

  • avira
  • bitdefender_2013
  • mcafee_enterprise
  • avg2012
  • eset_nod32
  • Dr.Web
  • Mse
  • sophos
  • f-secure2011
  • Kaspersky_2012
  • Kaspersky_2013

Captura de pantalla 2013-05-01 a la(s) 14.14.23

Once all the information has been collected it sends the data to the following URL using a POST request:

dol[.]ns01[.]us:8081/web/js[.]php

An example of the information collected is as follow:

Shockwave Flash 11.6.602,No Java or Disable or user uninstall it(if plugins have java)!,Avast!,Shockwave Flash(Name:NPSWF32_11_6_602_180.dll{Ver:11.6.602.180}),AVG SiteSafety plugin(Name:npsitesafety.dll{Ver:14.2.0.1}),MindSpark Toolbar Platform Plugin Stub(Name:NP4zStub.dll{Ver:1.0.1.1}),TelevisionFanatic Installer Plugin Stub(Name:NP64EISb.dll{Ver:1.0.0.1}),MinibarPlugin(Name:npMinibarPlugin.dll{Ver:1.0.0.1}),Photo Gallery(Name:NPWLPG.dll{Ver:16.4.3505.912}),Yahoo Application State Plugin(Name:npYState.dll{Ver:1.0.0.7}),Silverlight Plug-In(Name:npctrl.dll{Ver:5.1.10411.0}),Microsoft Office 2010(Name:NPSPWRAP.DLL{Ver:14.0.4761.1000}),Microsoft Office 2010(Name:NPAUTHZ.DLL{Ver:14.0.4730.1010}),Microsoft® Windows Media Player Firefox Plugin(Name:np-mswmp.dll{Ver:1.0.0.8}),PDF-XChange Viewer(Name:npPDFXCviewNPPlugin.dll{Ver:2.5.200.0})

After sending the information about the system the following request is also made:

dol[.]ns01[.]us:8081/update/index.php

After analyzing that file we found the following function:

Captura de pantalla 2013-05-01 a la(s) 14.33.09

If we decode the eval string we find:

Captura de pantalla 2013-05-01 a la(s) 14.34.54

After a quick analysis it seems the malicious server is exploiting CVE-2012-4792 that was fixed earlier this year. We are still verifying this information and we will give you more details when we confirm the vulnerability exploited is CVE-2012-4792.

Once the vulnerability is exploited the system will download the payload from dol[.]ns01[.]us:8081/update/bookmark.png:

Captura de pantalla 2013-05-01 a la(s) 14.39.24

After fixing the PE header we obtained the following PE file:

https://www.virustotal.com/en/file/ea80dba427e7e844a540286faaccfddb6ef2c10a4bc6b27e4b29ca2b30c777fb/analysis/

It has a detection rate of 2 / 46 at the time of writing this blog post.

Once the payload is executed:

- The malware will create a copy of itself in Documents and Settings[CURRENT_USER]Application Dataconime.exe

- It will create a registry key pointing to conime.exe on HKEY_USERSSoftwareMicrosoftWindowsCurrentVersionRun conime to maintain persistence

- It will connect to a C&C on microsoftUpdate.ns1.name currently pointing to a Google DNS server 8.8.8.8.

Captura de pantalla 2013-05-01 a la(s) 15.00.35

An analysis of the malware shows the payload is using the following GET requests to communicate with the C&C server:

/Photos/Query.cgi?loginid=[RANDOM_NUMBER]

We are still investigating this attack and we will update the blog post if we obtain more information about it.

Happy hunting!

Kate Brew

About the Author: Kate Brew

Kate has over 15 years experience in product management and marketing, primarily in information security.

Read more posts from Kate Brew ›

‹ BACK TO ALL BLOGS

Get the latest security news in your inbox.

Subscribe via Email

Watch a Demo ›
Get Price Free Trial