The United States Department of Labor website is the latest high-profile government site to fall victim to a watering hole attack. Researchers at a number of security companies reported today that the site was hosting malware and redirecting visitors to a site hosting the Poison Ivy remote access Trojan.
The malware has since been removed and law enforcement is investigating.
“This profile fits the enterprise user machine profile typical of large enterprise and government agencies,” said Invincea founder and CEO Anup Ghosh.
The DoL’s SEM site is a repository of data on toxic substances present at facilities run by the Department of Energy.
The malware drops an executable called conime[.]exe onto the infected computer and opens remote connections on ports 443 and 53, Invincea said, adding there were two redirects present on the DoL page sending visitors to dol[.]ns01[.]us. Once the user is redirected, a file is executed, ports are opened and registry changes are made to maintain persistence on the machine. Ghosh said that one of the command and control servers had already been blacklisted by Google.
Alien Vault Lab manager Jaime Blasco said the attacker also collects a bit of system information including whether a number of antivirus programs, Flash, Java, and Microsoft Office are running, and sends that data to the remote server. Blasco added that the command and control protocol used in the attack matches that of a Chinese espionage gang known as DeepPanda; other characteristics of this attack match those used against a Thai human rights nongovernment organization website.
In this case, it’s likely the targets were Department of Labor employees and other federal employees tied to the DoL and Department of Energy.
“It is important to note that most websites are vulnerable to exploit. As a result, exploiting legitimate websites have become a common vector for penetrating enterprise networks and individual machines,” Ghosh said. “The Department of Labor is no exception.”