Human rights and civil society organizations face a growing spectrum of online threats, including Internet filtering, website defacements, denial of service attacks, and targeted malware (malicious software) attacks. Such organizations can be particularly vulnerable to these threats due to limited resources and lack of computer network security support.
Malware attacks in particular are becoming an increasing problem for human rights and civil society groups. Past Information Warfare Monitor research has documented targeted email-based malware attacks on human rights groups and the use of compromised organizational websites to deliver malware to site visitors (See Human Rights and Malware Attacks, Targeted Malware Attack on Foreign Correspondent’s based in China, Nobel Peace Prize, Amensty International HK and Malware). In this blog post we document another instance of a human rights related website being compromised and used to disseminate malware.
While conducting analysis of OpenNet Initiative1 Internet filtering test results, we found one site2 covering Chinese human rights issues that triggered an anti-virus alert. The AV program identified a file from the website as Trojan.Swifi. Looking into this issue, we were able to determine that the site had been compromised and was being used to distribute malware to its visitors.
Tracing our browsing history, we first found that one of the site’s pages had an embedded IFrame that looks out of place:
The frame points to a HTML file on another site, which loaded a Flash file (SWF):
The Flash file uses CVE-2011-2110 (also described in APSB11-18) to download and run another program hosted on the same website, without the knowledge or consent of the user. Trojan.Swifi is the name that Symantec gives to this threat. Shadowserver has a good writeup on the first appearance of these Flash files being used in the wild, and gives some examples of sites they have found hosting this malware.
The URL of the file to download and run is encoded in the parameter passed to the SWF file in the link:
The file itself is compressed using zlib and XOR encrypted with a one byte key. (The key is easy to determine: look for the zlib two byte header.)
The day after we discovered this issue, the link in the IFrame had been changed. The core of the attack, the Flash file, was still the same. However, the Flash file was hosted on a different server and loaded a slightly different executable program: same functionality, different filename and metadata. The first site was one of the examples listed in the Shadowserver report, which may be the reason why the frame was changed to point to a new location with a new payload.
In both cases, the downloaded program installs Poison Ivy, a remote administration tool (RAT).
The Flash file is the same in both cases, as the two payloads have the same encryption and compression format. The URL of the payload is passed as a parameter outside of the Flash program. The MD5 hashes of the two programs and the Flash file are:
b0b33a68bc9b410b8e58979b0409d466 Flash file
First sample: c9c58cab8441c07816727a7d9bb77cda Encrypted + compressed payload 8ea8b81afa8928da7a12610dfebc57b2 Payload
Second sample: c99129da6460dc27b0c92f84c8e0c3ed Encrypted + compressed payload baff5ea74cb2b55ea124a20dc6037f19 Payload
The two downloaded files are slightly different, and have different icons and program information.
Each program contacts a command and control (C2) server using a different dynamic DNS hostname provided by changeip.org (the first using epac.to, the second jetos.com). Both DNS names stopped working within a day, resolving to 0.0.0.0, while the server continues to operate on an ISP in Singapore. The way both were shut down so quickly suggests that this malware has been sent out by more sites than just the Chinese news site on which we discovered it.
Metadata in the first program identifies it as “s1.exe”, while the second is “s3.exe”. Both use “aaaa” as the company name, and “Chinese (PRC)” as the language. The first uses an information bubble as an icon, the second uses a printer icon. s3 also calls itself “flash2” internally, and uses that reference as the dynamic DNS hostname.
It is likely that this C2 server will continue to operate using different dynamic DNS hostnames until it is taken offline by the ISP (assuming the ISP is able and willing to shut it down. So far, the ISP has not responded to the IWM’s abuse reports beyond automated replies from their support ticketing system.) Searching records of previously reported malware activity does not show anything specific to the IP that these programs are connecting to, although it does show many connections to IPs in the same netblock. From our initial examination, the network that is hosting this C2 server seems to be ripe for abuse.
Despite being a legitimate news site, any user who had not made the recent Flash APSB11-18 update would be infected with the Poison Ivy remote administration tool, allowing an attacker full access to the victim’s computer. Due to the location of the hosting provider and dynamic DNS services, it is likely that the command and control server will remain active and this specific threat will persist. Only one line of the legitimate web page needed to be changed in order to compromise every single visitor to the site.
Just as former IWM researcher Nart Villeneuve mentioned last November, we can expect attacks to continue against the visitors of human rights websites via the legitimate but compromised websites themselves. In this case, the attack was patched very quickly and was not a 0day when discovered. However, the time it takes in general for vulnerabilities such as CVE-2011-2110 to be patched versus the rate of these exploits becoming weaponized and actively deployed is troublesome. This threat is especially a problem for smaller organizations that do not have dedicated IT staff with an extensive security budget.