Targeted attack against UAE activist utilizes CVE-2013-0422, drops malware

Earlier this month, BahrainWatch.org was contacted by an UAE activist, who reported receiving a suspicious email. Upon deeper examination, it was revealed that it was a targeted attack relying on a Java exploit, which would have dropped a Remote Access Trojan (RAT), if the attack wasn't detected.

Earlier this month, BahrainWatch.org was contacted by an UAE activist, who reported receiving a suspicious email. Upon deeper examination, it was revealed that it was a targeted attack relying on Java exploit (CVE-2013-0422), which would have dropped a Remote Access Trojan (RAT), if the attack hadn't been detected.

The malware was hosted on the isteeler(dot)com domain, which on November 9, 2012, was registered with the following email: brightjam@163.com, ultimately dropping MD5: e5dc7ecfc5578d51ba92ff710b05ae09 on the affected hosts. Upon execution, the sample phoned back to storge(dot)myftp(dot)org:15999 (109.169.17.234). The malware marks its presence on the affected host in the following way: [HKEY_CURRENT_USER\Software\DAMAR]; NewIdentification = "DAMAR".

This isn't the first time that government-tolerated cyberespionage actors target UAE activists, and definitely not the last. What's particularly interesting about this incident is the fact that, those who orchestrated it didn't rely on lawful interception tools, like the German government does on the majority of occasions. Instead, they relied on a modified version of a well-known RAT, a practice that combined with the use of easily obtainable malware crypters, could completely bypass a host's signatures-based antivirus protection in place.

There's another aspect of these cyberespionage campaigns, worth considering in the context of the big picture. It's the practice of data mining already infected hosts, with the idea to use them as sources of intelligence. Basically, a huge percentage of the population with restricted Internet access in a country under a totalitarian regime, could be controlled by either using publicly obtainable tools, or by actually purchasing access to malware-infected hosts within this country in a cost-effective way compared to using lawful interception tools, and deploying them.

What do you think--is cyberespionage against activists and dissidents the work of government-funded units, or was cyberespionage actually privatized years ago, leading to anything else but actual results and a pay check?

Find out more about Dancho Danchev at his LinkedIn profile.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All