Two hacker groups used same IE 0-day exploit in recent attacks

The recently spotted watering hole attacks aimed at the visitors of the official website of the US Veterans of Foreign Wars and of a bogus website mimicking that of the French aerospace association GIFAS might not be, after all, the work of the same threat actors.

The claim has been made by Seculert researchers, who analyzed the tools and techniques used in both attacks and say that while the attack code for the exploited IE zero-day is nearly identical, the delivered malware is not, and neither are the C&C servers used in the attacks.

“Operation SnowMan” is likely the work of the attackers behind Operation DeputyDog and Operation Ephemeral Hydra, but the GIFAS attack is not, Seculert researchers claim.

In the GIFAS attack, the dropped malware is equipped with a valid digital certificate as not to trigger defense systems, and is able to steal information, download additional malware, and backdoor the system, thus allowing attackers to access to it at a later time.

Once installed, the malware contacts a C&C server hosted on the same server as the exploit, which is located in the United States.

Among the other things it does, it also changes the hosts files of the infected machines.

“This behavior is usually related to pharming in which attackers change IPs of specific domains to those of their own phishing servers,” the researchers shared. But in this case, “the domains that were added to the hosts file by the malware provide remote access to the employees, partners, and 3rd party vendors of a specific multinational aircraft and rocket engine manufacturer.

While they attempted to obscure the identity of this company, a screenshot of the secure remote access website listed in the hosts file and the logo on it point to Safran, an aerospace and defense contractor headquartered in Paris.

“This is the first time we have seen a malware change a hosts file for a purpose other than fraud perpetuated by pharming or for disabling access to specific websites,” the researchers commented. “The IPs added belong to the real remote access web servers and by adding the records to the hosts file the attackers ensured that there would be no DNS connectivity issues. Whenever the infected machines connect to the remote assets, the attackers are able to steal the sensitive credentials.”

They also discovered that an older version of this malware has been used over a year ago in an attack, and they posit that that attack and the GIFAS one might be the work of the same group.

What’s left to discover is how did two different groups use the practically same exploit for the same IE 10 Zero-day at practically the same time. Seculert CTO Aviv Raff believes that the two groups bought the attack code from the same black market seller.

Don't miss