Lady Boyle seems to have an admirer.
Malware named after a character in the Dishonored video game continues to pop up in targeted attacks against a number of high profile military and socially motivated websites. The latest surfaced about 10 days ago in an attack researchers at FireEye are calling the Sunshop Campaign.
Sunshop targeted a number of Korean military and political strategy websites, as well as a Uyghur forum among others with a pair of Java exploits and the recently patched IE 8 vulnerability recently used against the U.S. Department of Labor and a number of other sites. The exploits were redirecting vulnerable visitors to sunshop[.]com[.]tw where a host of malware awaits including Lady Boyle, which has been deployed in other attacks against the Uyghur, in particular, and in the Winnti attacks.
“A number of different Chinese-based espionage threat attackers use that malware, so it’s hard to use that indicator alone as a tie it to one particular threat actor,” said Ned Moran, a researcher at FireEye. “At least 5 different groups are using that malware. It’s a popular tool used by intrusion actors.
“Based on the sites compromised, there was a clear focus on Korean security and defense related issues,” Moran said. “The attackers are looking for data around the Korean defense posture.”
The group behind Sunshop was also behind a 2010 attack on the Nobel Prize website that took advantage of a zero-day in Firefox, FireEye said.
These attacks can be considered watering hole attacks since all the sites are popular with influential targets and have javascript exploits that redirect victims to espionage-type malware.
“These sites are well trafficked and the attackers have a strong sense of the audiences of these sites,” Moran said. “They compromise the sites and wait for traffic to come to them.”
The Lady Boyle malware, which is a remote access Trojan, is being served from three different command and control servers in the Sunshop attacks. IE8 users who land on the compromised site are hit with an exploit for CVE-2013-1347 pulled in from hk[.]sz181[.]com connected to a C&C server at dns[.]homesvr[.]tk. The two Java exploits, meanwhile, exploit CVE-2013-2423 and CVE-2013-1493, both of which have been patched. All of the command and control servers, FireEye said, resolved to 58[.]64[.]205[.]53, used by another domain used to drop Briba malware, also known as the IExplore RAT targeting NGOs.
“This is a traditional RAT type of malware that provides access to a machine, runs commands, downloads victim data or uploads new executables to the victim, or runs shell commands,” Moran said. In our experience, we have not seen it used outside this small set of intrusion actors; it’s not commercially available. Whenever see it, tends show up in these types attacks, strategic espionage attacks.”
FireEye researchers also discovered a connection between the Sunshop[.]com[.]tw host and the PoisonIvy RAT used in a number of other targeted attacks.
“That was the first time [Sunshop] was used as an exploit server; it’s been in play for a few months,” Moran said.