In the Fiddler's session, while analysing the dynamic behaviour of the malicious executable, we can detect a first call to the command-and-control point at mail.firewall-gateway.com located in the United Kingdom. We conducted a quick investigation about the domain "firewall-gateway.com," and it appears to be maintained by the German service provider, Securepoint, that specialises in provisioning secure VPN endpoints and other kinds of network services offerings.
In one of Securepoint's support forums, the announcement of the availability of a dynamic DNS service is still shown. The service appears to be available at this address. We believe it's an attempt to remain covert, because it is not by chance that the perpetrators chose their command-and-control point to be reached through a dynamic DNS service associated with a security company.
The detection rate of the binary file seems very low as reported by Virustotal. A brief static analysis of the malicious binary file, showed a list of strings used to check the presences of Antivirus on the impacted system.
The binary file has a low AV rate detection rate, as reported by this Virustotal report.
In this blog we gave a brief example of what seems to be a waterholing attack that is aimed for a specific crowd, in this case, pro-Tibet users. We believe that the complexity of such attacks lies in direct relation to the security measures that are employed by the potential targets, in this case the attack isn't that complex but probably just enough to fulfill its ultimate purpose.
Sign up for CIO Asia eNewsletters.