Over two days last week, the BBC website reported news about a waterholing attack against the Central Tibetan Administration website. Over the last two years, attacks like these have targetted pro-Tibet websites and other human rights organisations around the world. A waterholing attack is one that targets users of specific websites with the aim to install malware on their systems (usually using a backdoor approach) to collect documents, email contacts, social contacts, and passwords. The frequency of these attacks prompted Websense Security Labs to check our collective threat intelligence for any other websites that are considered pro-Tibet to see if they are affected by this kind of attack.
In this blog we're going to analyse the Tibetan Alliance of Chicago website and illustrate how waterholing attacks are conducted.
One of the trends with targeted attacks in the last few years is that any installed malware binaries connect to dynamic DNS websites. One of the most interesting aspects of this specific attack is that a successful exploit downloads a binary that connects to a small Dynamic DNS service offered by none other than a German-based security appliances and services company, which reaffirms the notion that perpetrators pick and choose the parts of their attack infrastructure.
Although the website does not have a high Alexa rank, we thought it was worth consideration, because our analysis concluded that it wasn't a scattered attack, but a targeted injection to infect the users of that website.
We started to investigate the content of these two links. The first (hxxp://18.104.22.168/images/Adobe/index.html) contains another iFrame that leads to a Firefox plugin named "Adobe Flash Player.xpi," although at the time of the analysis, the plugin wasn't available.
When we used Threatseeker to search for other instances of "Adobe Flash Player xpi," we detected other malicious websites, so we deduced that the aim of this iFrame was to try to install a malicious plugin using social engineering techniques. The second link (hxxp://22.214.171.124/index.html) caught our attention, because it seems to be malicious code exploiting the vulnerability CVE-2012-4969:
The code shows another iframe that leads to hxxp://126.96.36.199/yRrztX.html. From this, we could see the code used to trigger the Internet Explorer vulnerability addressed as CVE-2012-4969 and spotted in other targeted attacks by a security researcher here in September 2012. The code within the page "index.html" uses the "heap spray" mechanism to run shellcode if the exploiting attempt succeeds.
Once the shellcode is executed, it downloads and runs a malicious file on the compromised system. The shellcode appears to be using the Windows default user-agent 'wininet' to retrieve the malicious file, which in itself can be considered suspicious, because we don't normally see many legitimate HTTP requests that use this agent. We do see this user-agent being used by legitimate software, but it's not predominant.
Sign up for CIO Asia eNewsletters.