Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Nepalese Government Sites Hit With Java Exploit, Backdoor

Researchers have uncovered another attack exploiting a Java vulnerability against activists and government agencies in Nepal. The attack resulted in a backdoor being installed on victims’ machines.

Researchers have uncovered another attack exploiting a Java vulnerability against activists and government agencies in Nepal. The attack resulted in a backdoor being installed on victims’ machines.

Two Nepalese government agencies, the National Information Technology Center and the Office of the Prime Minister and Council Minister were targeted in this latest attack, Gianluca Giuliani, a security researcher with Websense, wrote on the Websense Security Labs blog. Attackers injected malicious code designed to exploit a Java Runtime Environment vulnerability on to the agency sites. The attacks relied on code modified from a Metasploit module for that vulnerability, Giuliani added.

Government of Nepal hit With MalwareWhen triggered, the code installed a backdoor called Zegost onto the victim machines. Zegost is a common remote administration tool and is capable of logging keystrokes, remote code execution, and stealing and transferring data. The backdoor in the Nepalese attacks opened an outbound connection to a remote command-and-control server hosted on “who.xhhow4.com,” a domain based in China, Giuliani said.

“As in other cases, we can see that this backdoor isn’t highly complex at all, but it’s certainly no less effective than other complex malware once executed on the target systems,” Giuliani wrote.

The same Java vulnerability, CVE-2012-0507, had been used in previous attacks against Amnesty International and the Institute for National Security Studies in Israel, Giuliani said. All three attacks used code taken from the Metasploit framework, although that doesn’t necessarily indicate a link between them. However, it was noteworthy that the same xhhow4.com domain also hosted the C&C server used in the Amnesty attack, Giuliani noted.

Zegost has also been used to target Uyghurs, Tibetans, and other ethnic groups in Eastern and Central Asia, according to AlienVault.

The method of infection is familiar, with attackers first compromising the targeted site and then injecting malicious code exploiting a common vulnerability. The main page was infected with a Java JAR file loader, and when executed, it attempted to exploit the Java flaw, Giuliani said. The exploit shellcode then downloads and runs the “tools.exe” executable, which is really Zegost, on to the impacted system.

It appears the Office of the Prime Minister and Council Minister website was compromised in May, according to Websense.

The backdoor on the impacted system uses local TCP port 1320 to connect to the C&C server on TCP port 53, which is a little unusual. Even though port 53 is generally reserved for the DNS Zone transfer, the traffic over the port used a proprietary protocol, according to Websense.

Advertisement. Scroll to continue reading.

Interestingly, the installed software was signed by valid certificate issued by VeriSign, Giuliani said. Malicious code signed with valid certificates is a trend that we’ve seen in other targeted attacks, he said.

The trend “can reduce the effectiveness of human and automatic countermeasures,” he said.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...