One of the nine sites serving malware tied to the recent watering hole attack on the U.S. Department of Labor was located in Cambodia and has ties to the United States Agency for International Development (USAID).
Speculation has it that the DoL attack was targeting downstream employees at the Department of Energy who work on nuclear weapons programs. This site, meanwhile, was apparently after employees of USAID, which is a federal organizations that funnels assistance to impoverished or oppressed nations.
The DoL’s Site Matrices Exposures site is a repository of data on toxic substances present at nuclear facilities run by the Department of Energy. The infected Cambodian site is a page belonging to the Better Health Services project, a USAID-funded initiative to strengthen health care services in Cambodia. Researchers at Invicea and AlienVault also said that European aerospace, defense and security companies were also compromised, but none have been identified.
The attacks targeting USAID used social media accounts on Twitter and Facebook to entice victims to click on shortened URLs leading them to the University Research Co. website, Romang said.
Romang found a connection referrer to the website on the backend server used in the attack. He discovered a Twitter account created on March 18 from @natividad_usaid that was providing links to the infected site; the Twitter account was deleted on April 10.
“Some Twitter users were directly contacted in order to incite them to click to the link and most of these users were related to USAID,” Romang said.
Even the link listed in the Twitter account’s profile description contained a malicious shortened url leading users to a file hosted on a Dropbox account that Romang said is a direct link to the Poison Ivy malware.
The file establishes a connection to a command and control server microsoftUpdate[.]ns1[.]name and drops an executable called conime[.]exe which opens remote connections on ports 443 and 53, according to Invicea, and registry changes are made to maintain persistence on infected machines.
A second connection referrer was found, Romang said, this one to a phony Facebook profile for a supposed USAID employee Kelly Black, a University of Virginia graduate living in D.C. The account included a profile picture of two young blonde women and was created and deleted on March 24, Romang said. The account was busy, however, finding 41 friends—most with ties to USAID—and each post contained a link to the University Research Co. and messages about a Mekong water sanitation project. One curious Facebook friend of Kelly Black’s wanted to know which woman she was in the picture, which turns out was of a couple of supporters of the Swedish national soccer team taken during the 2012 European championships in Poland, Romang said.
Microsoft urges IE 8, at a minimum, to apply the Fix It for the zero day until a patch is released. The vulnerability is a remote-code execution use-after free flaw, which happens because of how the browser handles objects after they’ve been deleted.
The Poison Ivy RAT, meanwhile, is a backdoor that an attacker can use to remotely access compromised machines and add or delete files, edit Registry files, view or kill running processes, network connections and services, and add or delete applications. It can be used for espionage as well as some variants have the capability to start remote command shells, take screenshots, start audio or video recordings and drop keylogging software.
Photo: Ryan Rodrick Beiler / Shutterstock.com