Beginning in early May, Cisco TRAC has observed a number of malicious redirects that appear to be part of a watering-hole style attack targeting the Energy & Oil sector. The structure consists of several compromised domains, of which some play the role of redirector and others the role of malware host.
Observed watering-hole style domains containing the malicious iframe have included:
- An oil and gas exploration firm with operations in Africa, Morocco, and Brazil;
- A company that owns multiple hydro electric plants throughout the Czech Republic and Bulgaria;
- A natural gas power station in the UK;
- A gas distributor located in France;
- An industrial supplier to the energy, nuclear and aerospace industries;
- Various investment and capital firms that specialize in the energy sector.
Encounters with the iframe-injected web pages resulted from either direct browsing to the compromised sites or via seemingly legitimate and innocuous searches. This is consistent with the premise of a watering-hole style attack that deliberately compromises websites likely to draw the intended targets, versus spear phishing or other means to entice the intended targets through illicit means.
Interestingly, six of the ten iframe-injected websites were hosted on the same server, apparently services by the same web design firm. Three of these six were also owned by the same parent company. This is likely an indication the sites were compromised via stolen login credentials, possibly a result of infection with the design firm or their hosting provider.
Various pages on the compromised companies’ websites were injected with a malicious iframe, two examples of which follow:
Example one:
Example two:
As can be observed in the Top 5 Vertical Encounters chart, the largest percent of visitors were expectedly from the financial and energy sectors – an audience concentration that is also consistent with the nature of watering-hole style attacks.
The iframes surreptitiously load exploit code and malware from one of three malicious domains which themselves appear to be the victim of compromise. The malware is hosted on individual compromised pages on:
- keeleux.com
- kenzhebek.com
- nahoonservices.com
In order to deliver the malware, the attacks attempt to exploit the following vulnerabilities:
- CVE-2012-1723: Oracle Java SE 7 update 4 and earlier via unspecified vulnerabilities related to Hotspot.
- CVE-2013-1347: Microsoft Internet Explorer 8 improper object handling in memory.
- CVE-2013-1690: Firefox / Thunderbird onreadystatechange events handing errors in page reloading.
The following screenshot illustrates the shellcode resulting from successful exploit of the Firefox vulnerability described in CVE-2013-1690:
Over the course of the compromises, the attacker has made several modifications to the injected iframes, exploit code, and the resulting malware binary.
Following are the files used to deliver the malware:
info3i.html
4ec0174a629e1e30186017bcae7e00a1
2ce760182e3d05c14d22fef819e7f22c
6bd0fcd6882744d5fdabb5e4eab7cbca
502faa43234805b84e8f2ec646cfd7d6
9ac2694a4b7ec659b100c3ac5be1b146
a51115c8619158e1953dcb98681d4469
info3i.php
5dfcc61e78b225d54b65f0e4dd46617e
7f13dfa3e69b03d23d81c0daea46b337
7029066c27ac6f5ef18d660d5741979a
d41d8cd98f00b204e9800998ecf8427e
inden2i.html
c1a00ba81f294e59147facb4d01dd750
0e89976388bf3e48d9941031575d1c0c
d41d8cd98f00b204e9800998ecf8427e
eb1a0aace5262a18dfc6e1752365a676
sort.html
61c1435621ced5b2900abe223d4cb5e7
838e6ff1ba576e6a9c972fc91d6f9bf7
leks.html
82fb1f611c8cfd24323cf777f2a09464
f55a898ef3b9267655bb48669dd03da3
negc.html CVE-2013-1347
843777601d23741d24248eda9b39c11a
ee6409deb87cabb1d573b9e1367bd0df
2e27a5d1a4f4cf5729d23303a56daa70
b7046aaa75959989d05050f74b8428dd
negq.html CVE-2013-1347
ef7a1c3773de0082a0eae027ad325582
leks.jar CVE-2012-1723
77ca7a5244e7d33fe620b8e8bb70a70d
start.jar CVE-2012-1723
6e8940887c3b0233858afcb58d0e9911
6f50b55b9f08522e35f871a9654c5a84
stoq.jar CVE-2012-1723
dce829dbaa39c88c5c907b58b631b4c7
0e69a83ab280555fbfbec1000b182a27
4eefcd69de510a82c781510da7cc6336
erno_rfq.html CVE-2013-1690
efc55c9143c678bb88f91a6b52632c70
Protecting users against these attacks involves keeping machines and web browsers fully patched to minimize the number of vulnerabilities that an attacker can exploit. Administrators can ensure that compromised websites hosting malicious content are kept away from end users by filtering web traffic at the network level with Cisco Web Security Solutions. These solutions detect the malicious content and block it before it can reach visitors’ machines.
Martin Lee, Gregg Conklin, and Mary Landesman contributed to this post.
FYI, the hash 7029066c27ac6f5ef18d660d5741979a, appears to be a NSRL known good. Thought you would like to know. Thanks!