A new watering hole attack has been reported, this one targeting two government-related websites based in Israel that have been injected with malware exploiting a six-month-old vulnerability in Internet Explorer.
The two sites, ict[.]org[.]il and herzliyaconference[.]org, are related to Israel’s first private higher education institution known as Interdisciplinary Center (IDC) Herzliya. The ict[.]org[.]il site is an academic institute for counter-terrorism studies, while the other is the portal page for the annual Herzliya Conference, an event hosted by the IDC where national policy issues are discussed by national leaders, including the Israeli president and prime minister.
As with other recent watering hole attacks, high-profile government officials and policy makers appear to be the target. Attackers favoring this technique will inject a website with malware frequented by targets with similar interests hoping to infect their machines and redirect them to a third-party site under the attacker’s control where personal information is then captured or additional malware is installed on the victim’s computer.
Security company Websense reports the websites are still serving malware and have been since Jan. 23, though the malware on the conference site is not functional, Websense said.
“The malicious code found on the websites is identical and was identified as CVE-2012-4969, an Internet Explorer vulnerability that was verified as a zero-day at the time and was found to be exploited in the wild in September 2012,” Websense said in a blogpost.
CVE-2012-4962 was used in watering hole attacks against Capstone Turbine Corp., a manufacturer of microturbine energy products. The use-after-free vulnerability being exploited affected IE 6-8 and was able to bypass DEP and ASLR, mitigations in Windows against memory-based attacks. Microsoft issued an out-of-band patch for the flaw on Jan. 14.
Websense said the attack against IDC leverages a malicious Flash file to launch a heap spray attack to enable remote code execution. The words heap spray are misspelled in the Flash file, similarly to a malicious file used in a watering hole attack against the U.S. Council on Foreign Relations website, a trait Symantec connected to the Elderwood Project it said was behind the Aurora attacks on Google, Adobe and other technology and manufacturing companies in 2009.
“We’re not completely convinced by this theory,” Websense said. “This may indeed suggest a connection to the Elderwood Project, but may instead suggest the use of the same toolkit by different perpetrators.”
Websense researchers also discovered a technique unique to this attack wherein the dropped malware is XOR encrypted. Once the exploit is successfully launched, it searches for a marker in memory called KKONG. When found, the malware is decrypted and executes a persistent backdoor, a technique that helps bypass sandbox protection, Websense said.
“The backdoor service is actually installed under a registry key called ‘RAT’, which is not very discreet, to say the least, and the backdoor connects to a C2 that is recognized by our service as suspicious,” Websense said, adding that it points to a Web host oicp.net located in China, which hosts other sites involved in targeted attacks in the past. One of the hosts, Websense said, points to an ISP in Fremont, Calif., called Hurricane Electric.
“In the purest sense, you’ll see very subtle and graceful attempts to compromise sites that have virtually nothing to do with one another in terms of content, but at a higher geo-political level such as with the high tech or defense industrial base, there is a commonality,” RSA Security’s FirstWatch Advanced Research Intelligence team senior manager Will Gragido told Threatpost. “They’ll look for vulnerabilities on the site, post a redirection tag and catch some targets of opportunity affiliated with a target of interest; by doing that, they can go upstream to compromise the target of interest.”