Nepalese Government Sites Hacked, Serving Zegost Malware

Researchers have uncovered another in an ongoing series of targeted attacks against government agencies and activists, this time an attack that compromised a pair of Nepalese government web sites with code that exploits a Java vulnerability to install a backdoor on vistors’ machines. 

Researchers have uncovered another in an ongoing series of targeted attacks against government agencies and activists, this time an attack that compromised a pair of Nepalese government web sites with code that exploits a Java vulnerability to install a backdoor on vistors’ machines. 

The attackers went after two sites belonging to government agencies in Nepal, the National Information Technology Center and the Office of the Prime Minister and Council Minister, and injected malicious code that is designed to exploit the Java CVE-2012-0507 vulnerability that was disclosed earlier this year. If the exploit is successful, a backdoor called Zegost is then installed on the victim’s machine, according to an analysis of the attack by researchers at Websense.

Interestingly, the binary installed on infected machines as part of the attack is signed by a valid certificate issued by VeriSign.

That same Java vulnerability was used in attacks earlier this year on Amnesty International and the Institute for National Security Studies in Israel, Websense said. All three of those attacks used code that was taken from a Metasploit module for the Java flaw and researchers said that the backdoors used in the Nepalese and Amnesty attacks connected back to command-and-control servers on the same domain in China.

The infection sequence for this attack follows the same script used in similar operations: compromise a high-value site, inject malicious code to exploit a common vulnerability, install a backdoor and wait for the returns.

“The main page was injected with a Java JAR file loader which once rendered by the Web browser is executed and attempts to exploit the CVE-2012-0507 vulnerability. The name used for the Java class name (“msf.x.Exploit.class”) and the content of the file confirmed that the code was taken from the Metasploit framework. If the exploit code in the JAR file has been successfully executed, the exploit shellcode downloads and runs the executable file named “tools.exe” on the impacted system (MD5: 3c7b7124f84cc4d29aa067eca6110e2f),” Gianluca Giuliani of Websense said in an analysis of the attack.

Zegost is a known remote-administration tool that’s been used in other targeted attacks, specifically in Asia. Once on an infected machine, the backdoor used in the attack on the Nepalese sites initiates an outbound connection to a C&C server hosted on a domain in China at “who.xhhow4.com”. That same domain was used in the earlier attack on Amnesty International’s U.K. site, Giuliani said. The traffic is sent over TCP port 53, which typically is used for DNS, but in this case is used for C&C communications using a custom protocol.

Zegost has the ability to log keystrokes, steal data and then send it off to the remote C&C server, the typical behavior that one would expect from a RAT.

The backdoor also uses common features like other common backdoors, such as keylogging, and supports the ability to accept and run commands remotely. As in other cases, we can see that this backdoor isn’t highly complex at all, but it’s certainly no less effective than other complex malware once executed on the target systems. Another interesting aspect of this backdoor file is that it’s signed with a valid certificate (that appears to have been revoked) issued to 360.cn (a Chinese ISP) by VeriSign,” Giuliani said.

The last couple of years have seen a steady stream of attacks against government agencies in countries such as Nepal and Tibet, as well as targeted attacks against activists in Syria, Iran and elsewhere. A common theme has been the use of RATs that have the ability to steal data and send it to remote servers. Defending against these attacks can be difficult for individual users, especially when they’re delivered through malicious code that’s hidden on supposedly trusted sites.

Suggested articles