“Watering hole” sites crucial to new cyber espionage campaign

RSA’s newly dubbed FirstWatch research team has recently presented their findings on a “water holing” campaign that they first spotted back in July.

The approach consists of compromising websites the targets are likely to visit and equipping them with iframes pointing to servers hosting exploits for zero-days flaw.

As evidenced by the research done by Symantec on the Elderwood gang, watering hole attacks are quickly substituting spear phishing emails as the preferred method of infecting and compromising computers in targeted campaigns, as this approach allows attackers to target more victims and gather more data.

This most recently unveiled campaign has targeted a number of websites and inserted into them JavaScript elements that redirect users to an exploit site that just happened to be a website for curling fans.

That site was rigged to load exploits for a Java and/or a Microsoft Windows vulnerability. If the exploits were successful, it would install the Gh0st RAT on the targeted computer in order for the attackers to have control over it.

“While there is no known evidence linking this attack to previous attacks, Gh0st has historically been used in politically motivated espionage by nation-state attackers,” the researchers pointed out in the report.

When taking into consideration which sites served as watering holes, this campaign seems to have targeted Boston, Massachusetts area users, political activists, users from Washington, DC and its suburbs, and users in the defense industry and education.

Two variants (one compressed, the other not) of the Gh0st RAT were delivered to the targets, and both pretended to be a Symantec Update. According to the researchers, the file in question – named VPTray.EXE – was not detected by VirusTotal when the paper came out two days ago.

The attack also drops another malicious executable posing as a Microsoft update on the systems. The file is dropped in the current user’s “Local Settings\Temp” folder and is named SVOHOST.EXE in an attempt to blend it in as the name is similar to the legitimate SVCHOST.EXE file.

The malicious file disables the Registry Editor and Windows System Restore in order to assure the malware’s persistency and to prevent users from reverting the system to a known good state before infection occurred.

“Based on our analysis, a total of 32,160 unique hosts, representing 731 unique global organizations, were redirected from compromised web servers injected with the redirect iframe to the exploit server,” the researchers point out.

“Of these redirects, 3,934 hosts were seen to download the exploit CAB and JAR files (indicating a successful exploit/compromise of the visiting host). This gives a ‘success’ statistic of 12%, which based on our previous understanding of exploit campaigns, indicates a very successful campaign.”

Given that the C&C infrastructure for the attack is located in the Hong Kong area, the use of Gh0st RAT, the use of a particular script kit for victim redirection, and the targets of interest, the researchers believe that the attack was likely orchestrated and carried out by the same threat actors that effected the Aurora and Ghostnet attack campaigns.