Incidents

Big Chinese Hack 2?

Yesterday we detected the onset of the latest mass hack attack – websites being hacked and links placed on them that lead to malicious servers. We’re estimating that in the last two days along, between 2000 and 10,000 servers, mainly Western European and American ones, have been hacked. It’s not yet clear who’s doing this.

We’re still working on determining exactly how the sites were hacked, but there are two scenarios which are the most likely – using SQL injection or using accounts to the sites which had already been stolen. One common factor is that the majority of the hacked sites run on some type of ASP engine.

These attacks aren’t yet on the scale of the first attacks which took place in spring this year and which affected more than 1.5 million web resources. But things are still developing, and the similar nature of the malicious programs used in both attacks lead us to think that this new wave of attacks is potentially pretty serious.How do the attacks work?

The attackers add a tag, <script src=http://******/h.js>, to the html of hacked sites.

The link leads to Java Script located on one of six servers – these servers act as gateways for further redirecting of requests. We’ve identified six of these gateways and they’ve been added to the denylist in our antivirus:

  • armsart.com
  • acglgoa.com
  • idea21.org
  • yrwap.cn
  • s4d.in
  • dbios.org

If you’re an admin, you should block access to these sites.

Visiting one of the sites results in a secret redirect to a malicious server called vvexe.com which is located in China. Exploits are then used to launch an attack on the user’s machine.

We’re currently seeing a range of exploits being used, which target vulnerabilities in Internet Explorer, Macromedia Flash Player, and the ActiveX vulnerability (MS08-053) which Microsoft released a patch for less than two months ago. And here are exploits designed to target Firefox users.

Here’s a list of the malicious programs on the site that our antivirus detects:

  • Trojan-Downloader.HTML.Agent.ls
  • Trojan-Downloader.SWF.Agent.ae
  • Trojan-Downloader.SWF.Agent.ad
  • Trojan-Downloader.SWF.Agent.af
  • Trojan-Downloader.SWF.Small.em
  • Trojan-Downloader.SWF.Small.en
  • Trojan-Downloader.JS.Agent.cwt
  • Trojan-Downloader.JS.Agent.cwu
  • Trojan-Downloader.JS.Agent.cww
  • Trojan-Downloader.JS.Agent.cwv
  • Trojan-Downloader.JS.Agent.cwx
  • Trojan-Downloader.JS.Agent.cwy
  • Exploit.JS.Agent.xu
  • Trojan-Dropper.JS.Agent.z

If your machine is vulnerable to even one of these exploits, then it’ll be infected by another malicious program, Trojan-Downloader.Win32.Hah.a.

This Trojan is able to download yet more malicious programs – and details of these programs are in a dedicated configuration file on the vvexe.com site.

Today, we’ve seen three malicious programs being downloaded:

Trojan-GameThief.Win32.WOW.cer – a Trojan designed to steal account data from World of Warcraft accounts

Trojan-Spy.Win32.Pophot.gen – another spy program which steals data and also tries to delete a whole range of antivirus solutions

Trojan.Win32.Agent.alzv – this Trojan downloads yet more Trojan spy programs: Trojan-PSW.Win32.Delf.ctw, Trojan-PSW.Win32.Delf.ctx, Trojan-PSW.Win32.Delf.cty.

If you own or manage a site that uses an ASP engine, check all your pages for a link like this: <script src=http://******/h.js>. And if you find it, delete it. It’s not just your security that’s at stake, but the security of everyone using your site!

Big Chinese Hack 2?

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox