Targeted attack against UAE activist utilizes CVE-2013-0422, drops malware

Summary:Earlier this month, BahrainWatch.org was contacted by an UAE activist, who reported receiving a suspicious email. Upon deeper examination, it was revealed that it was a targeted attack relying on a Java exploit, which would have dropped a Remote Access Trojan (RAT), if the attack wasn't detected.

Earlier this month, BahrainWatch.org was contacted by an UAE activist, who reported receiving a suspicious email. Upon deeper examination, it was revealed that it was a targeted attack relying on Java exploit (CVE-2013-0422), which would have dropped a Remote Access Trojan (RAT), if the attack hadn't been detected.

The malware was hosted on the isteeler(dot)com domain, which on November 9, 2012, was registered with the following email: brightjam@163.com, ultimately dropping MD5: e5dc7ecfc5578d51ba92ff710b05ae09 on the affected hosts. Upon execution, the sample phoned back to storge(dot)myftp(dot)org:15999 (109.169.17.234). The malware marks its presence on the affected host in the following way: [HKEY_CURRENT_USER\Software\DAMAR]; NewIdentification = "DAMAR".

This isn't the first time that government-tolerated cyberespionage actors target UAE activists, and definitely not the last. What's particularly interesting about this incident is the fact that, those who orchestrated it didn't rely on lawful interception tools, like the German government does on the majority of occasions. Instead, they relied on a modified version of a well-known RAT, a practice that combined with the use of easily obtainable malware crypters, could completely bypass a host's signatures-based antivirus protection in place.

There's another aspect of these cyberespionage campaigns, worth considering in the context of the big picture. It's the practice of data mining already infected hosts, with the idea to use them as sources of intelligence. Basically, a huge percentage of the population with restricted Internet access in a country under a totalitarian regime, could be controlled by either using publicly obtainable tools, or by actually purchasing access to malware-infected hosts within this country in a cost-effective way compared to using lawful interception tools, and deploying them.

What do you think--is cyberespionage against activists and dissidents the work of government-funded units, or was cyberespionage actually privatized years ago, leading to anything else but actual results and a pay check?

Find out more about Dancho Danchev at his LinkedIn profile.

Topics: Security

About

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.