In what has become a familiar scenario over the last couple of years, attackers have compromised a key Tibetan web site and loaded it with code that redirects some users to a third-party site that installs an APT-style backdoor.

The attack has hit the Web site of the Central Tibetan Administration, a site belonging to the Dalai Lama’s government-in-exile, and when Chinese-speaking users visit the site, they are hit with the code contained in an iframe that redirects them to another site. There, the visitors are then exposed to an exploit that attempts to compromise their machines using a Java vulnerability from 2012. The attack does not affect English-speaking or Tibetan visitors.

“The attack itself is precisely targeted, as an appended, embedded iframe redirects “xizang-zhiye(dot)org” visitors (this is the CN-translated version of the site) to a java exploit that maintains a backdoor payload. The english and Tibetan versions of the website do not maintain this embedded iframe on the Chinese version,” Kurt Baumgartner, a security researcher at Kaspersky Lab, wrote in an analysis of the attack.

“At this point in time, it seems that the few systems attacked with this code are located in China and the US, although there could be more. The Java exploit being delivered is the 212kb “YPVo.jar” (edd8b301eeb083e9fdf0ae3a9bdb3cd6), which archives, drops and executes the backdoor as well. That file is a 397 kb win32 executable “aMCBlHPl.exe” (a6d7edc77e745a91b1fc6be985994c6a) detected as “Trojan.Win32.Swisyn.cyxf”. Backdoors detected with the Swisyn verdict are frequently a part of APT related toolchains, and this one most certainly is.”

The same attacker behind this watering hole attack is also responsible for a similar one last year. In that one, the attacker was using a Java vulnerability as well, to distribute zero-day exploits, Baumgartner said. One of the things that the Java exploit in this new attack does is disable the policy checks of Java and running the Payload.main method.

“The Payload.main method contains some interesting but simple capabilities that enable an attacker to download the payload over https and AES decrypt it using Java’s built-in AES crypto libraries, but the package is not configured to use that code in this case. Instead, a couple of lines in its configuration file direct the exploit to drop and execute the jar file’s win32 exe resource. The backdoor itself is detected by most of the AV crowd as variants of gaming password stealers, which is flatly incorrect. The related C2 is located at,” Baumgartner said.

The attack on the Central Tibetan Administration is the latest in a string of such attacks against Tibetan sites since at least 2011.  In April, attackers used stolen digital certificates to sign malware that was being installed as part of another watering hole attack, that time on the Tibetan Homes Foundation site. Earlier that month there was another attack that used a compromised Twitter account to sent malicious tweets to Tibetan activists.

Image from Flickr photos of Goran Hoglund.

Categories: Malware, Microsoft