In the world of Phishing emails, we often see schemes which involve enticing users to open a malicious document, sometimes disguised as a form of some sort. In the world of web attacks, we see less of these, as it usually takes a lot more to convince a user casually browsing the internet to download and open a document. But what if the user is visiting a government site where forms are generally in abundance? It looks like this time attackers decided to try their luck and find out.
At the end of October 2018, we saw a block in our Trustwave Cloud SWG product for a government facility domain. An examination into the block showed that the reason was the presence of the CoinImp web miner on the site. Now, we’ve been seeing a lot of web miner injections throughout 2018 so on the surface this case didn’t seem like anything special.
The same domain, however, drew our attention again at the beginning of January of 2019, when we once more saw a detection from CSWG for that domain, but this time for a Microsoft Word document with an embedded malicious EPS script.
After a closer investigation we saw that the Bangladesh embassy in Cairo website appears to be under control of intruders. Attempts to access almost any URL on the website ends with a request to save a file, with only a few pieces of content (like the visa application form file) still accessible:
Figure 1: Real visa application form on the site (left) and every other page on the site returning a malicious document (right)
This level of compromise usually indicates the attacker’s ability to not only upload their own data, but also change the web server’s configuration.
Despite this, it looks like detection rates for this malicious page are low:
Figure 2: VirusTotal scan results for the URL
This office document contains an EPS file and exploits a use-after-free vulnerability, CVE-2017-0261. It seems that the EPS file was modified at the end of October 2018, which coincides with the timeline of the first infection dates we noticed. This could, of course, be a coincidence and we can never know the attacker’s intentions with certainty, but it’s possible that after running wider infection campaigns infecting sites with a web miner, the attacker looked through their victims to find more interesting targets to leverage further.
Once the EPS file is executed two binaries are extracted which exploit CVE-2017-7255, one for each of x86 and x64 architectures, this exploit provides privilege escalation for the execution of the main payload.
Finally, the Godzilla loader is dropped. The loader then gathers information about the infected machine, checks for internet connectivity by attempting to reach out to Wikipedia.org, and given that connectivity is possible, communicates back with the C2 server.
Figure 3: The Godzilla loader administration panel
Once communication is established with the C2 server, further executables can be dropped at the attacker’s will, in our case an additional downloader which downloaded a cryptominer was the selected payload.
It is possible that the intruders who injected the web miner into the site decided to make a shift from web mining to machine infection in order to install a more persistent cryptominer on victim machines.
A couple of indicators in this incident tell us that despite this being an embassy site, this is not an APT performing a sophisticated attack: The infection is very noisy (the site is essentially not functioning as a result of the attack), and the downloaded file was not particularly tailored to the site (a generic “conference details” name with a blank document opening).
Despite this lack of sophistication, we need to consider the potential of such an attack: An embassy site is, for all intents and purposes, a government site. This attacker was not an APT, but they could have been. The attack may not have been sophisticated, but it could have been. The fact that a non-sophisticated attacker managed to compromise a government site raises even more concern, if anything, and the potential harm under those conditions is much greater than a cryptominer infection.
We contacted the compromised domain and alerted them about the infection, unfortunately at the time of publishing this blog the site remains infected.
Trustwave SWG customers are protected from the malicious document, the malicious payloads and the attempts to communicate with Godzilla C2 server: