Nepalese Government Sites Hit With Java Exploit, Backdoor

Researchers have uncovered another attack exploiting a Java vulnerability against activists and government agencies in Nepal. The attack resulted in a backdoor being installed on victims’ machines.

Two Nepalese government agencies, the National Information Technology Center and the Office of the Prime Minister and Council Minister were targeted in this latest attack, Gianluca Giuliani, a security researcher with Websense, wrote on the Websense Security Labs blog. Attackers injected malicious code designed to exploit a Java Runtime Environment vulnerability on to the agency sites. The attacks relied on code modified from a Metasploit module for that vulnerability, Giuliani added.

When triggered, the code installed a backdoor called Zegost onto the victim machines. Zegost is a common remote administration tool and is capable of logging keystrokes, remote code execution, and stealing and transferring data. The backdoor in the Nepalese attacks opened an outbound connection to a remote command-and-control server hosted on “who.xhhow4.com,” a domain based in China, Giuliani said.

“As in other cases, we can see that this backdoor isn’t highly complex at all, but it’s certainly no less effective than other complex malware once executed on the target systems,” Giuliani wrote.

The same Java vulnerability, CVE-2012-0507, had been used in previous attacks against Amnesty International and the Institute for National Security Studies in Israel, Giuliani said. All three attacks used code taken from the Metasploit framework, although that doesn’t necessarily indicate a link between them. However, it was noteworthy that the same xhhow4.com domain also hosted the C&C server used in the Amnesty attack, Giuliani noted.

Zegost has also been used to target Uyghurs, Tibetans, and other ethnic groups in Eastern and Central Asia, according to AlienVault.

The method of infection is familiar, with attackers first compromising the targeted site and then injecting malicious code exploiting a common vulnerability. The main page was infected with a Java JAR file loader, and when executed, it attempted to exploit the Java flaw, Giuliani said. The exploit shellcode then downloads and runs the “tools.exe” executable, which is really Zegost, on to the impacted system.

It appears the Office of the Prime Minister and Council Minister website was compromised in May, according to Websense.

The backdoor on the impacted system uses local TCP port 1320 to connect to the C&C server on TCP port 53, which is a little unusual. Even though port 53 is generally reserved for the DNS Zone transfer, the traffic over the port used a proprietary protocol, according to Websense.

Interestingly, the installed software was signed by valid certificate issued by VeriSign, Giuliani said. Malicious code signed with valid certificates is a trend that we’ve seen in other targeted attacks, he said.

The trend “can reduce the effectiveness of human and automatic countermeasures,” he said.