USAID Workers Also Targeted by DoL Watering Hole Attackers

A Cambodian website compromised by the same group involved in the Department of Labor watering hole attack is serving malware and targeting employees of USAID.

One of the nine sites serving malware tied to the recent watering hole attack on the U.S. Department of Labor was located in Cambodia and has ties to the United States Agency for International Development (USAID).

Speculation has it that the DoL attack was targeting downstream employees at the Department of Energy who work on nuclear weapons programs. This site, meanwhile, was apparently after employees of USAID, which is a federal organizations that funnels assistance to impoverished or oppressed nations.

Researcher Eric Romang found a connection to University Research Co. of Cambodia, a USAID partner in that country, and the dol[.]ns01[.]us backend serving malware to visitors of the DoL’s Site Matrices Exposures website. The sites were compromised and serving javascript that redirects victims using Internet Explorer 8 to sites where additional malware, such as the Poison Ivy remote access Trojan, is downloaded and backdoor connections are established. The IE 8 zero day vulnerability, CVE-2013-1347, is expected to be patched tomorrow by Microsoft, which released a Fix It temporary mitigation last Thursday.

The DoL’s Site Matrices Exposures site is a repository of data on toxic substances present at nuclear facilities run by the Department of Energy. The infected Cambodian site is a page belonging to the Better Health Services project, a USAID-funded initiative to strengthen health care services in Cambodia. Researchers at Invicea and AlienVault also said that European aerospace, defense and security companies were also compromised, but none have been identified.

The attacks targeting USAID used social media accounts on Twitter and Facebook to entice victims to click on shortened URLs leading them to the University Research Co. website, Romang said.

Romang found a connection referrer to the website on the backend server used in the attack. He discovered a Twitter account created on March 18 from @natividad_usaid that was providing links to the infected site; the Twitter account was deleted on April 10.

“Some Twitter users were directly contacted in order to incite them to click to the link and most of these users were related to USAID,” Romang said.

Even the link listed in the Twitter account’s profile description contained a malicious shortened url leading users to a file hosted on a Dropbox account that Romang said is a direct link to the Poison Ivy malware.

The file establishes a connection to a command and control server microsoftUpdate[.]ns1[.]name and drops an executable called conime[.]exe which opens remote connections on ports 443 and 53, according to Invicea, and registry changes are made to maintain persistence on infected machines.

A second connection referrer was found, Romang said, this one to a phony Facebook profile for a supposed USAID employee Kelly Black, a University of Virginia graduate living in D.C. The account included a profile picture of two young blonde women and was created and deleted on March 24, Romang said. The account was busy, however, finding 41 friends—most with ties to USAID—and each post contained a link to the University Research Co. and messages about a Mekong water sanitation project. One curious Facebook friend of Kelly Black’s wanted to know which woman she was in the picture, which turns out was of a couple of supporters of the Swedish national soccer team taken during the 2012 European championships in Poland, Romang said.

Microsoft urges IE 8, at a minimum, to apply the Fix It for the zero day until a patch is released. The vulnerability is a remote-code execution use-after free flaw, which happens because of how the browser handles objects after they’ve been deleted.

From the initial analysis of the javascript on the DoL site, it collects system information checking for a number of antimalware programs, as well as third-party software such as Flash and Java, likely in order to launch further exploits. Blasco added that the command and control protocol used in the attack matches that of a Chinese espionage gang known as DeepPanda; other characteristics of this attack match those used against a Thai human rights nongovernment organization website.

The Poison Ivy RAT, meanwhile, is a backdoor that an attacker can use to remotely access compromised machines and add or delete files, edit Registry files, view or kill running processes, network connections and services, and add or delete applications. It can be used for espionage as well as some variants have the capability to start remote command shells, take screenshots, start audio or video recordings and drop keylogging software.

Photo: Ryan Rodrick Beiler /

Suggested articles