You are here

Home:Blogs:The curious case of a reconnaissance campaign targeting ministry and embassy sites
X-Labs
February 7, 2017

The curious case of a reconnaissance campaign targeting ministry and embassy sites

Roland Dela Paz Security Researcher
APT Cyber Attack Malware

Forcepoint Security Labs™ came across a malicious reconnaissance campaign that targets websites. It is unknown what is the intent behind the campaign as of this writing, however, the profile of the targets resembles those that are common targets of Advanced Persistent Threat (APT) actors. As the attack is currently active, it effectively turns compromised sites into attack surfaces against their visitors.

Furthermore, the injections resemble those used by the Turla group, such as those previously documented by Swiss GovCERT last year. In this post, we will share our findings on this campaign's targets and injected code as well as provide insights to its timeline.

Affected websites

The majority if the targeted sites were ministry and embassy sites although sites with different profiles were also compromised. Below is a list of the affected sites we have observed:

  • Foreign affairs ministries of Kyrgyzstan, Moldova and Uzbekistan
  • Embassy sites of Iraq, Jordan, Zambia and Russia
  • A political party in Austria
  • A government-run, sustainability site in Austria
  • A sports association in Austria
  • A Somalian news site
  • A socialist organization in Spain
  • An international cooperation organization based in France
  • An African union site
  • A road safety site from Ukraine
  • An African plant society

Interestingly, all of the targeted embassy sites were embassies located in Washington, D.C., United States. Forcepoint has notified the administrators of the sites that were confirmed to be compromised. 

Injection

Target websites were compromised with a code that looks like a web analytics script from the web analytics service, Clicky. A snippet of the injected code is as follows:

A closer look at the code shows that while the Clicky site static.getclicky.com/js was declared in the variable s.src, the same variable is simply overwritten with the actual malicious site hxxp://www.mentalhealthcheck[.]net/update/check.php. The final HTTP request is sent to this site which then responds with Joseph Myers’ Javascript implementation of the MD5 algorithm:

As reported by the Swiss GovCERT, the Turla group is known to use Google Analytics scripts to disguise their malicious code on compromised websites. They then evaluate compromised sites' visitors, through fingerprinting and an IP target list, before a malicious payload is served. These techniques are strikingly similar to this campaign wherein the injected codes are disguised as a Clicky web analytics script. In addition, the above HTTP response suggests that it is simply used to cover the malicious activity to visitors outside the attackers' interest.

The actors behind the campaign actively manages the injected scripts. For instance, we have seen them comment out their injected script in a particular site for a certain period and then reactivate it again. Injected scripts are also updated with new malicious sites.

Timeline

The campaign dates as far back as December 2015 when the first malicious domain used for the landing page, nbcpost[.]com, was registered. In November 2016, compromised sites were then updated with new landing sites using the domains epsoncorp[.]com and mentalhealthcheck[.]net - both were registered in February 2016. Just this week, they updated their landing page yet again under a new domain, travelclothes[.]org, which was registered on November 2016.

Meanwhile, the earliest compromise we have seen is April 2016 and the majority of the affected sites we have observed appears to have been compromised at that time. Some sites were compromised for a brief period, while some remained compromised for as long as 10 months.

Protection statement

Forcepoint™ customers are protected against this threat via TRITON® ACE at the following stages of attack:

Stage 2 (Lure) - The injected code on the compromised site is detected and the site is blocked.

Conclusion

This post describes a reconnaissance campaign that actively obtains foothold on government and private websites. The tactics and the targeting of this campaign overlaps with those of the Turla group. However, no conclusive evidence is available to confirm a relationship between the two and the motive behind this campaign is yet to be uncovered. It is recommended that website administrators review their websites for similar injections to prevent their visitors from being subject to a potential attack.

We would like to clarify that the Clicky web analytic platform is not being used for malicious purposes and is only used as a disguise for this campaign. We would also like to thank Clicky for sharing their insights during our investigation.

With additional insights from Nicholas Griffin and Sindyan Bakkal.

Indicators of Compromise

Landing Pages

hxxp://rss.nbcpost[.]com/news/today/content.php
hxxp://drivers.epsoncorp[.]com/plugin/analytics/counter.js
hxxp://www.mentalhealthcheck[.]net/update/check.php
hxxp://www.mentalhealthcheck[.]net/update/counter.js
hxxp://static.travelclothes[.]org/main.js
RD

Roland Dela Paz

Security Researcher
Read more articles by Roland Dela Paz

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.
Learn more about Forcepoint