UPDATED 11:30 am 5.4.13 – Correction - Microsoft confirms exploit is a zero-day as written up in Part 2
UPDATED 8:50 am 5.2.13 – Correction regarding Google black-holing of domain – details in analysis below
UPDATED 2:47 pm 5.1.13 – Now available – IOC file – Download Here!
On the evening of Tuesday, April 30th 2013, we received a tip that a site hosted by the United States Department of Labor (USDOL) had been compromised and was hosting malicious code. The site has since been fixed and law enforcement is investigating.
In addition, AlienVault also has a write-up of the same exploit here.
As many security companies, including Websense, have recently noted, the vast majority of web-based driveby exploits are occurring from legitimate websites that are compromised with the specific intention to exploit the website visitors. Watering hole attacks gained notoriety over the last year as a method of infecting specific targets by compromising websites they are likely to visit.
In this case one US Federal department website, the Department of Labor, was compromised in order to target what are believed to be employees of US Dept of Energy that work in nuclear weapons programs. As reported by NextGov, the the Dept of Labor’s web pages that were hijacked in this compromise — the “Site Exposure Matrices”– lists “nuclear-related illnesses linked to Energy facilities and toxicity levels at each location that might have sickened employees developing atomic weapons”. In other words, this attack bears the hallmarks of a classic watering hole attack targeting certain employees working in nuclear weapons for the Dept of Energy by compromising a website at the Dept of Labor they are likely to visit.
Armed with an Invincea protected browser (IE8, Windows XP 32-bit), we decided to investigate further. Upon landing on the affected page, it only took a moment before we received the all too familiar alert notification from Invincea that an infection had been detected:
Drilling into the Details link, we can observe the real-time activity of the captured malware inside the Invincea virtual container:
As we can plainly see, a suspect executable has been dropped onto the virtual file system (conime.exe) and launched as a process. Furthermore, we observe that network listeners have been opened as well as outbound network communications. To obtain more forensic data related to this mock infection, we first click Restore to purge the virtual container of all changes and pivot to the Threat Data Server for more detail:
Once we have located the appropriate infection entry as shown above, we can quickly see the total number of virtual system changes recorded as the malware was allowed to run inside the container with breakdowns on number of executables written, processes launched and network connections opened. In this case, 31 total changes were recorded with 2 distinct executable drops, 3 process launches and 3 network connections opened. We can also rapidly determine that there are two web redirects present on the main index page associated with www[.]sem[.]dol[.]gov. These redirects obviously lead to content hosted at dol[.]ns01[.]us which lead to the infection. Next, we’ll select the Timeline tab to get more detail on the infection chain of events:
In the screen capture above, we can see that shortly after the browser was redirected to the content hosted at dol[.]ns01[.]us, a file previously downloaded to the browser cache is launched as a process. We can also see the MD5Sum of the offending process listed in the Event Properties window above.
Next, we can see that a network listener is opened on port 443 and several steps are taken to maintain persistence on the host. Reg.exe is launched from Windowssystem32 in order to configure an autorun in the registry and the malware copies itself to a more permanent location in the user’s %appdata% directory as “conime.exe”:
Auto-run entry details:
UPDATED 8:50 a.m. 5.2.13 –
Next, the malware opens additional network listeners on port 53 and 8080 as well as attempts to contact its command and control (C2) server for instructions. The C2 domain associated with this sample is microsoftupdate[.]ns1[.]name which resolved to 18.104.22.168 (Google) at the time of the original analysis. The domain is currently resolving to 22.214.171.124 (Xerox Corporation) which may indicate that the attackers are attempting to avoid attribution efforts by the security research community.
During the initial C2 contact, the client attempts to send an encrypted payload of exactly 256 bytes to the C2 server over port 443 as seen below:
This behavior is highly consistent with the Poison Ivy RAT as previously described by Gal Badishi of Cyvera in this blog posting.
If we go back to the Processes tab in our Invincea threat analyzer, we can perform a virustotal.com hash check on our malware:
The results indicate that this Poison Ivy sample has an extremely low antivirus detection ratio (2/46):
Now, let’s backtrack and review the infection chain of events.
The main index page of www[.]sem[.]dol[.]gov contains an embedded script:
If we examine the contents of textsize.js, we can see that the DOM createElement() method is used to write a script tag on the page pointing to hxxp://dol[.]ns01[.]us:8081/web/xss.php as well as an iframe leading to hxxp://dol[.]ns01[.]us:8081/update/index.php:
index.php from our iframe above is where the code to exploit the browser lies:
The following screenshot illustrates the malware download (bookmark.png – md5: a449fdcc2e15655c9f720247646913e4). Note that the PE magic number has been altered to avoid network detection signatures that rely on the presence of “MZ”:
It is important to note that most websites are vulnerable to exploit. As a result, exploiting legitimate websites have become a common vector for penetrating enterprise networks and individual machines. The Department of Labor is no exception. Their website was compromised to host a re-direct to a malicious website. The target of this attack appears to be employees of the Dept of Energy that likely work in nuclear weapons research. In addition, AlienVault is reporting that this attack has indicators of compromise that link to the DeepPanda Chinese APT group. This compromise shows that watering hole attacks continue to be employed by advanced threat using exploits customized to their target profile. The malicious website re-direct exploits an older vulnerability in Internet Explorer and Windows XP machines that fit the typical configuration of enterprise user machines. Invincea users are protected against this attack as they are against other web-based drive-by and spear-phishing attacks.
Please contact Invincea today to schedule a demo.