Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Nepalese Government Sites Hit With Java Exploit, Backdoor

Researchers have uncovered another attack exploiting a Java vulnerability against activists and government agencies in Nepal. The attack resulted in a backdoor being installed on victims’ machines.

Researchers have uncovered another attack exploiting a Java vulnerability against activists and government agencies in Nepal. The attack resulted in a backdoor being installed on victims’ machines.

Two Nepalese government agencies, the National Information Technology Center and the Office of the Prime Minister and Council Minister were targeted in this latest attack, Gianluca Giuliani, a security researcher with Websense, wrote on the Websense Security Labs blog. Attackers injected malicious code designed to exploit a Java Runtime Environment vulnerability on to the agency sites. The attacks relied on code modified from a Metasploit module for that vulnerability, Giuliani added.

Government of Nepal hit With MalwareWhen triggered, the code installed a backdoor called Zegost onto the victim machines. Zegost is a common remote administration tool and is capable of logging keystrokes, remote code execution, and stealing and transferring data. The backdoor in the Nepalese attacks opened an outbound connection to a remote command-and-control server hosted on “,” a domain based in China, Giuliani said.

“As in other cases, we can see that this backdoor isn’t highly complex at all, but it’s certainly no less effective than other complex malware once executed on the target systems,” Giuliani wrote.

The same Java vulnerability, CVE-2012-0507, had been used in previous attacks against Amnesty International and the Institute for National Security Studies in Israel, Giuliani said. All three attacks used code taken from the Metasploit framework, although that doesn’t necessarily indicate a link between them. However, it was noteworthy that the same domain also hosted the C&C server used in the Amnesty attack, Giuliani noted.

Zegost has also been used to target Uyghurs, Tibetans, and other ethnic groups in Eastern and Central Asia, according to AlienVault.

The method of infection is familiar, with attackers first compromising the targeted site and then injecting malicious code exploiting a common vulnerability. The main page was infected with a Java JAR file loader, and when executed, it attempted to exploit the Java flaw, Giuliani said. The exploit shellcode then downloads and runs the “tools.exe” executable, which is really Zegost, on to the impacted system.

It appears the Office of the Prime Minister and Council Minister website was compromised in May, according to Websense.

Advertisement. Scroll to continue reading.

The backdoor on the impacted system uses local TCP port 1320 to connect to the C&C server on TCP port 53, which is a little unusual. Even though port 53 is generally reserved for the DNS Zone transfer, the traffic over the port used a proprietary protocol, according to Websense.

Interestingly, the installed software was signed by valid certificate issued by VeriSign, Giuliani said. Malicious code signed with valid certificates is a trend that we’ve seen in other targeted attacks, he said.

The trend “can reduce the effectiveness of human and automatic countermeasures,” he said.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...