Oil & Gas Firm Attacked

Friday, September 19, 2014 @ 03:09 PM gHale

In a classic watering hole attack, attackers planted malicious code on a oil and gas start up company’s website in an effort to infect the computers of its visitors, researchers said.

It is possible the targeted company attracted the attention of the attackers since it had announced a considerable funding grant just days before the attack, said researchers at security provider Bromium.

Middle East Petrochem Firms Targeted
APT: In Action for Six Years
IoT Devices Vulnerable to Attacks: Report
Spam Indicates Security Vulnerabilities

“It’s likely that the attackers were expecting more traffic to the website and hoped to increase their chances of a successful infection,” Bromium’s Vadim Kotov said in a blog post.

The malicious script placed on the compromised website leveraged a low-severity Internet Explorer vulnerability to check for the presence of security solutions from Trend Micro and Kaspersky Lab. The vulnerability in question, CVE-2013-7331, is an information disclosure vulnerability that allows resources loaded into memory to end up queried. Attackers can exploit it to detect the anti-malware applications in use on a targeted system.

Microsoft took care of that issue with this month’s security updates, but bad guys have been exploiting it in the wild since at least February when FireEye researchers documented an attack against American military personnel. At the time, the exploit was out to detect the presence of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET).

At the time of the attack analyzed by Bromium, Microsoft had not yet patched the vulnerability, and researchers believe the attackers might have tested for the presence of Kaspersky and Trend Micro solutions because they can detect the malware.

Visitors of the oil and gas company’s website ended up redirected to a drive-by download page hosting the Sweet Orange exploit kit, which attempts to exploit Java, Flash and Internet Explorer vulnerabilities in an effort to push malware.

The dropped Trojan has a Windows folder icon, most likely to avoid raising any suspicion. The threat should check the infected system for the presence of virtual machines, sandboxes and other applications used by security researchers.

The final payload used in this campaign is a Trojan that downloads other pieces of malware from the command and control server to the infected machine.

“The authors of this attack paid a lot of attention to stealthiness, starting from [a] cookie-based redirect and driver fingerprinting to monitoring tools detection. This might narrow down the target audience of the attackers but improve the success rate. Which makes perfect sense – there are plenty of vulnerable machines out there – why bother infecting protected ones?” Kotov said.

The investigation into this operation is still ongoing so Bromium could not provide too much information on the attackers. However, it appears the command and control server used in the attack is in Luxembourg.

Leave a Reply

You must be logged in to post a comment.