Beginning in early May, Cisco TRAC has observed a number of malicious redirects that appear to be part of a watering-hole style attack targeting the Energy & Oil sector. The structure consists of several compromised domains, of which some play the role of redirector and others the role of malware host.
Observed watering-hole style domains containing the malicious iframe have included:
- An oil and gas exploration firm with operations in Africa, Morocco, and Brazil;
- A company that owns multiple hydro electric plants throughout the Czech Republic and Bulgaria;
- A natural gas power station in the UK;
- A gas distributor located in France;
- An industrial supplier to the energy, nuclear and aerospace industries;
- Various investment and capital firms that specialize in the energy sector.
Encounters with the iframe-injected web pages resulted from either direct browsing to the compromised sites or via seemingly legitimate and innocuous searches. This is consistent with the premise of a watering-hole style attack that deliberately compromises websites likely to draw the intended targets, versus spear phishing or other means to entice the intended targets through illicit means.
Interestingly, six of the ten iframe-injected websites were hosted on the same server, apparently services by the same web design firm. Three of these six were also owned by the same parent company. This is likely an indication the sites were compromised via stolen login credentials, possibly a result of infection with the design firm or their hosting provider.
Various pages on the compromised companies’ websites were injected with a malicious iframe, two examples of which follow:
As can be observed in the Top 5 Vertical Encounters chart, the largest percent of visitors were expectedly from the financial and energy sectors – an audience concentration that is also consistent with the nature of watering-hole style attacks.
The iframes surreptitiously load exploit code and malware from one of three malicious domains which themselves appear to be the victim of compromise. The malware is hosted on individual compromised pages on:
In order to deliver the malware, the attacks attempt to exploit the following vulnerabilities:
- CVE-2012-1723: Oracle Java SE 7 update 4 and earlier via unspecified vulnerabilities related to Hotspot.
- CVE-2013-1347: Microsoft Internet Explorer 8 improper object handling in memory.
- CVE-2013-1690: Firefox / Thunderbird onreadystatechange events handing errors in page reloading.
The following screenshot illustrates the shellcode resulting from successful exploit of the Firefox vulnerability described in CVE-2013-1690:
Over the course of the compromises, the attacker has made several modifications to the injected iframes, exploit code, and the resulting malware binary.
Following are the files used to deliver the malware:
Protecting users against these attacks involves keeping machines and web browsers fully patched to minimize the number of vulnerabilities that an attacker can exploit. Administrators can ensure that compromised websites hosting malicious content are kept away from end users by filtering web traffic at the network level with Cisco Web Security Solutions. These solutions detect the malicious content and block it before it can reach visitors’ machines.
Martin Lee, Gregg Conklin, and Mary Landesman contributed to this post.
FYI, the hash 7029066c27ac6f5ef18d660d5741979a, appears to be a NSRL known good. Thought you would like to know. Thanks!
Comments are closed.