August 8, 2012

Nepalese government websites compromised to serve Zegost RAT


The Websense® ThreatSeeker® Network has detected that two Nepalese government websites, the National Information Technology Center (NITC) and the Office of the Prime Minister and Council Minister (nitc.gov.np and opmcm.gov.np respectively), have been compromised and injected with malicious code that tries to exploit the Java vulnerability CVE-2012-0507. The aim of this injection is to install, through successfully exploiting that Java weakness, a backdoor that is also dubbed "Zegost" on the systems of visitors to these websites.

This vulnerability (CVE-2012-0507) was also used in the Amnesty International UK website compromise and in the INSS website compromise that we reported a few months back. It's interesting to note that all those compromises had injected code that was taken from the Metasploit framework, served in clear form, and not obfuscated. Although the use of code from the Metasploit framework doesn't necessarily indicate a link between all the compromises, we found further common characteristics between the compromises of the Amnesty UK website and the Nepalese government website by analyzing the backdoor C&C points when we noticed that they connected to the same domain in China. 

The backdoor variant in this attack is known to have been used in other targeted attacks that were aimed at Uyghurs, Tibetans, and others in that area.

Websense customers are protected from these threats by ACE, our Advanced Classification Engine.


Technical Analysis

According to Cyberwarnews, in early 2012, the websites of Nepalese institutions, such as the police, suffered two other types of attacks mainly in the form of defacements and data leakage. But it's not just Nepal that has been affected. This region has recently seen a sequence of targeted attacks and APTs.

Below is the content of the Nepalese National Information Technology Center (NITC) Web page along with the injected code marked in red: 


The main page was injected with a Java JAR file loader which once rendered by the Web browser is executed and attempts to exploit the CVE-2012-0507 vulnerability. The name used for the Java class name ("msf.x.Exploit.class") and the content of the file confirmed that the code was taken from the Metasploit framework. If the exploit code in the JAR file has been successfully executed, the exploit shellcode downloads and runs the executable file named "tools.exe" on the impacted system (MD5: 3c7b7124f84cc4d29aa067eca6110e2f).

The ThreatSeeker Network was able to connect that same executable file dropped from nitc.gov.np (National Information Technology Center) to another Nepalese government website, opmcm.gov.np (Office of the Prime Minister and Council Minister website), as shown below:

The red, boxed URL is the website of the Office of the Prime Minister and Council Minister. We found out that this particular website was compromised this year, at least from May 9-15, to serve this same backdoor executable (MD5: 3c7b7124f84cc4d29aa067eca6110e2f):

The content that was injected between these dates at the website of the Office of the Prime Minister and Council Minister was identical to the code injected at the National Information Technology Center website, confirming that the same attack vector was used for both:

We detected that the dropped backdoor "tools.exe" (MD5: 3c7b7124f84cc4d29aa067eca6110e2f) is a variant "AD" of the backdoor Zegost. This backdoor toolkit or remote administration tool (RAT) has also been involved in other targeted attacks in Asia, according to an analysis by AlienVault in their research blog

Thanks to the Websense ThreatScope® sandbox service, the C&C address was detected at "who.xhhow4.com," as shown in the picture below (for the complete sandbox report, click here).  

The domain "hhow4.com" was also used as a C&C point for the dropped backdoor served at the compromised Amnesty  UK website, where that variant specifically connected to the address at "shell.xhhow4.com" (for the complete sandbox report, click here).


Both C&Cs are hosted at IP address

 The domain "xhhow4.com" is hosted in China by a Web hosting company known as Hichina Zhicheng Technology Co., Ltd. The next image shows a Robtex DNS names graph analysis for that domain:


Once the backdoor is installed on the impacted system, it initiates connections from local TCP port 1320. The destination address is to the C&C  at "who.xhhow4.com" and uses remote TCP port 53  (usually the port reserved for the DNS Zone transfer). However, it's important to note that the traffic wasn't DNS traffic but the proprietary protocol used by the backdoor for remote communications. Below is the first connection sequence between the backdoor and the C&C:


By decoding the TCP stream, it is possible to recognize that custom encryption was used to exchange information with the C&C. The network traffic starts also with a keyword, "URATU," as shown below: 

Once executed, the binary creates a Mutex named "microsoft.com" reported below:


The backdoor also uses common features like other common backdoors, such as keylogging, and supports the ability to accept and run commands remotely. As in other cases, we can see that this backdoor isn't highly complex at all, but it's certainly no less effective than other complex malware once executed on the target systems. Another interesting aspect of this backdoor file is that it's signed with what appears to be an invalid\fake certificate issued to 360.cn (a Chinese ISP) by VeriSign, as shown in the properties box:

The certificate contains the following details:


Having malicious code signed with certificates is a trend that we’ve seen in other targeted attacks that can reduce the effectiveness of human and automatic countermeasures. 


In this blog, we covered the compromise of Nepalese government websites in what appears to be a chain of targeted attacks. We managed to connect those attacks to a previously reported attack that took place in a different country: the compromise of the Amnesty International UK website. This shows that cyber warfare is trending and kicking and that there's certainly an effort by international players to stay dominant and persistent in that realm.


Security Researchers: Gianluca Giuliani, Elad Sharf.


Forcepoint-authored blog posts are based on discussions with customers and additional research by our content teams.

Read more articles by Forcepoint

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.