Attackers have compromised the website of a prominent Israel-based, Middle East foreign policy-focused think tank, the Jerusalem Center for Public Affairs (JCPA). On Friday, researchers from Cyphort reported that the site was serving the Sweet Orange exploit kit via drive-by download. At the time of publication, it appeared the JCPA site was still serving drive-by downloads.
The Cyphort analysis indicates that the attack on JCPA is part of a broader malware campaign. The common thread between the attacks is an initial redirection server. Following the initial redirect, Cyphort notes users are being redirected through a chain of seemingly innocuous domains belonging largely to music industry and law firms. Ultimately, users are led to a an exploit server located in Russia.
While the campaign certainly looks like a watering hole, advanced persistent threat-style attack, Cyphort’s research indicates that the threat is ultimately designed to pilfer banking credentials.
“This is a sinkhole that is connected to many such varying domain names,” explains McEnroe Navaraj of Cyphort. “All of these names have some string of ‘cdn’ in them. Once the bad actors get access to an account/server they can just create a correspondingĀ ‘cdn’ domain entry under that domain and use it to point to the target exploit server.”
Navaraj continues that this method allows the attackers to bypass certain URL categorization and blacklisting technologies.
Threatpost attempted to reach out to the JCPA, but attempts to access their website and contact information failed as the site unsuccessfully tried to infect our machines with malware.
The initial trojan dropper in the JCPA website is a version of the QBot malware.
The JCPA homepage is infected with a malicious jquery javascript file. The jquery.js file receives an exploit kit server URL from another domain, “cdn[dot]jameswoodwardmusic[dot]com.” In the end, exploits are served from “cdn3[dot]thecritico[dot]com:16122/clickheat/stargalaxy.php?nebua=3.”
Ultimately, the user is attacked through a series of Java and Internet Explorer exploits.
“The final dropper is downloaded in encrypted form and decrypted in-memory (key: investor) and written to disk,” NAvaraj writes. “This exploit kit served two (Qbot) binaries with same hash (MD5: 4ff506fe8b390478524477503a76f91a). Encrypted binary transfer is done to hide it from signature-based network security devices such as IPS or AV gateways.”
The variant of malware that is eventually pushed onto user machines has anti-virtual machine and anti-antivirus detection modules built in. It is known to steal machine operating system install dates, names, and product IDs from its victims. Oddly, the malware contains a link to a Wheat Thins advertisement, suggesting that the attackers may be deploying a bit of click-fraud to make some extra money.
The malware also attempts to block users from visiting the sites of certain anti-virus companies and steals credentials from a long list prominent banks, including PNC, Zions Bank, Sovereign Bank, SunTrust, Bank of America, J.P. Morgan, Wells Fargo, Citi Bank, Wachovia, TD Bank and many more.
Image “Katamon PC280015” by Deror avi – Own work. Licensed under Creative Commons Attribution