U.S. Department of Labor website hacked and redirecting to malicious code
U.S. Department of Labor website hacked and redirecting to malicious code
During the last few hours we have identified that one the U.S. Department of Labor website has been hacked and it is serving malicious code.
Clarification:
The website affected is the The Department of Labor (DOL) Site Exposure Matrices (SEM) Website
“The Department of Labor (DOL) Site Exposure Matrices (SEM) Website is a repository of information gathered from a variety of sources regarding toxic substances present at Department of Energy (DOE) and Radiation Exposure Compensation Act (RECA) facilities covered under Part E of the Energy Employees Occupational Illness Compensation Program Act (EEOICPA)”
As you can see in the following UrlQuery report the website is including code from the malicious server dol[.]ns01[.]us:
Once you visit the website the following file is included:
www[.]sem[.]dol[.]gov/scripts/textsize.js that contains the following code:
The browser will then execute a script from the malicious server dol[.]ns01[.]us:8081/web/xss.php
http://labs.alienvault.com/labs/ ... p/?ip=96.44.136.115
The script will collect a lot of information from the system and then it will upload the information collected to the malicious server. Some of the functions to collect information are:
flashver(): This function will collect information about the Flash software running on the system, including versions and OS details
bitdefender2012check() and disabledbitdefender_2012(): The function will try to determine if BitDefender is running on the system checking for the injected code (netdefender/hui/ndhui.js) on the HTML of the webpage and it will try to deactivate the AV.
avastcheck(): It checks if Avast Antivirus is running on the system detecting the presence of the Chrome extension:
aviracheck(): It checks if Avira Antivirus is running on the system detecting the presence of the Chrome extension:
java(): It collects information about Java versions running on the system
officever(): It collects information about Microsoft Office versions installed on the system
plugin_pdf_ie(): It detects if Adobe Reader is installed in the system calling Acrobat Reader’s ActiveX object:
jstocreate(): It detects if the system is running one of the following Antivirus:
avira
bitdefender_2013
mcafee_enterprise
avg2012
eset_nod32
Dr.Web
Mse
sophos
f-secure2011
Kaspersky_2012
Kaspersky_2013
Once all the information has been collected it sends the data to the following URL using a POST request:
dol[.]ns01[.]us:8081/web/js[.]php
An example of the information collected is as follow:
Shockwave Flash 11.6.602,No Java or Disable or user uninstall it(if plugins have java)!,Avast!,Shockwave Flash(Name:NPSWF32_11_6_602_180.dll{Ver:11.6.602.180}),AVG SiteSafety plugin(Name:npsitesafety.dll{Ver:14.2.0.1}),MindSpark Toolbar Platform Plugin Stub(Name:NP4zStub.dll{Ver:1.0.1.1}),TelevisionFanatic Installer Plugin Stub(Name:NP64EISb.dll{Ver:1.0.0.1}),MinibarPlugin(Name:npMinibarPlugin.dll{Ver:1.0.0.1}),Photo Gallery(Name:NPWLPG.dll{Ver:16.4.3505.912}),Yahoo Application State Plugin(Name:npYState.dll{Ver:1.0.0.7}),Silverlight Plug-In(Name:npctrl.dll{Ver:5.1.10411.0}),Microsoft Office 2010(Name:NPSPWRAP.DLL{Ver:14.0.4761.1000}),Microsoft Office 2010(Name:NPAUTHZ.DLL{Ver:14.0.4730.1010}),Microsoft® Windows Media Player Firefox Plugin(Name:np-mswmp.dll{Ver:1.0.0.8}),PDF-XChange Viewer(Name:npPDFXCviewNPPlugin.dll{Ver:2.5.200.0})
Some of the techniques used in this attack are very similar to the ones we identified a few months ago in an attack against a Thailand NGO website:
Thailand NGO site hacked and serving malware
After sending the information about the system the following request is also made:
dol[.]ns01[.]us:8081/update/index.php
After analyzing that file we found the following function:
If we decode the eval string we find:
After a quick analysis it seems the malicious server is exploiting CVE-2012-4792 that was fixed earlier this year. We are still verifying this information and we will give you more details when we confirm the vulnerability exploited is CVE-2012-4792.
Once the vulnerability is exploited the system will download the payload from dol[.]ns01[.]us:8081/update/bookmark.png:
After fixing the PE header we obtained the following PE file:
https://www.virustotal.com/en/fi ... b30c777fb/analysis/
It has a detection rate of 2 / 46 at the time of writing this blog post.
Once the payload is executed:
- The malware will create a copy of itself in Documents and Settings\[CURRENT_USER]\Application Data\conime.exe
- It will create a registry key pointing to conime.exe on HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run conime to maintain persistence
- It will connect to a C&C on microsoftUpdate.ns1.name currently pointing to a Google DNS server 8.8.8.8.
An available on malwr.com shows that that the DNS name was previously pointing to:
173.254.229.176
https://malwr.com/analysis/YzUyM ... DE5MWE1MDY4Y2I1MGM/
An analysis of the malware shows the payload is using the following GET requests to communicate with the C&C server:
/Photos/Query.cgi?loginid=[RANDOM_NUMBER]
The C&C protocol matches with a backdoor used by a known chinese actor called DeepPanda and described by CrowdStrike in the following analysis:
http://www.crowdstrike.com/sites ... ort_DeepPanda_0.pdf
We are still investigating this attack and we will update the blog post if we obtain more information about it.
Happy hunting!
官方 