Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

National Journal Site Found Serving ZeroAccess Rootkit

Researchers at Invincea say they spotted National Journal still serving malware today, marking the second time in less than a month the news site was used to infect users.

Researchers at Invincea say they spotted National Journal still serving malware today, marking the second time in less than a month the news site was used to infect users.

The site is no longer serving malware at this moment. However, according to Invincea, the site was observed using a Java exploit to deliver a variant of the ZeroAccess rootkit and fake antivirus.

According to a report by MediaBistro.com, the initial compromise was detected Feb. 28, and is believed to have affected people who visited the site via major search engines between Feb. 18 and March 1. 

“What we found…was somewhat surprising given the disclosure by The National Journal…that they were aware of this happening previously/had hired a third party to investigate and remediate,” blogged Anup Ghosh, CEO of Invincea.

A redirect was added to the top of the main index page that created an iframe pointing to an exploit pack landing page, he continued. After de-obfuscating the JavaScript, an iframe was revealed leading to an exploit pack. The exploit pack was the NeoSploit pack.

 The Java exploit served via malicious archive (.jar) file.  During their analysis, the company noticed that the landing page redirected users with a more recent version of Java to a serialized Java object hosted at koxhrcnr[.]myvnc[.]com. Java object serialization is implemented to bypass the interactive user access control implemented in Java 7 Update 11.

“Is The National Journal on an island in terms of being the only legitimate website to push malware? Hardly – NBC.ComThe Council on Foreign RelationsSpeedtest.net all were used previously…and the list continues to grow,” blogged Ghosh. “What this tells us (as if we didn’t already know) is that the bad guys are increasingly going to the watering hole to attack their targets.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.