Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Services
Capture
Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

twi-cloud-lock-color-svg
Managed Security Services

Expand your team’s capabilities and strengthen your security posture

twi-briefcase-color-svg
Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

twi-dashboard-color-svg
Penetration Testing

Subscription- or project-based testing, delivered by global experts

twi-database-color-svg
Database Security

Get ahead of database risk, protect data and exceed compliance requirements

twi-email-color-svg
Email Security & Management

Catch email threats others miss with layered security & maximum control

twi-managed-portal-color
Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Bangladesh Embassy Website in Cairo Compromised

In the world of Phishing emails, we often see schemes which involve enticing users to open a malicious document, sometimes disguised as a form of some sort. In the world of web attacks, we see less of these, as it usually takes a lot more to convince a user casually browsing the internet to download and open a document. But what if the user is visiting a government site where forms are generally in abundance? It looks like this time attackers decided to try their luck and find out.

At the end of October 2018, we saw a block in our Trustwave Cloud SWG product for a government facility domain. An examination into the block showed that the reason was the presence of the CoinImp web miner on the site. Now, we’ve been seeing a lot of web miner injections throughout 2018 so on the surface this case didn’t seem like anything special.

The same domain, however, drew our attention again at the beginning of January of 2019, when we once more saw a detection from CSWG for that domain, but this time for a Microsoft Word document with an embedded malicious EPS script.

After a closer investigation we saw that the Bangladesh embassy in Cairo website appears to be under control of intruders. Attempts to access almost any URL on the website ends with a request to save a file, with only a few pieces of content (like the visa application form file) still accessible:  

Embassy compromised pageFigure 1: Real visa application form on the site (left) and every other page on the site returning a malicious document (right)


This level of compromise usually indicates the attacker’s ability to not only upload their own data, but also change the web server’s configuration.

Despite this, it looks like detection rates for this malicious page are low:

scanning results

Figure 2: VirusTotal scan results for the URL


This office document contains an EPS file and exploits a use-after-free vulnerability, CVE-2017-0261. It seems that the EPS file was modified at the end of October 2018, which coincides with the timeline of the first infection dates we noticed. This could, of course, be a coincidence and we can never know the attacker’s intentions with certainty, but it’s possible that after running wider infection campaigns infecting sites with a web miner, the attacker looked through their victims to find more interesting targets to leverage further.

Once the EPS file is executed two binaries are extracted which exploit CVE-2017-7255, one for each of x86 and x64 architectures, this exploit provides privilege escalation for the execution of the main payload.

Finally, the Godzilla loader is dropped. The loader then gathers information about the infected machine, checks for internet connectivity by attempting to reach out to Wikipedia.org, and given that connectivity is possible, communicates back with the C2 server.

Godzilla panel

Figure 3: The Godzilla loader administration panel


Once communication is established with the C2 server, further executables can be dropped at the attacker’s will, in our case an additional downloader which downloaded a cryptominer was the selected payload.

It is possible that the intruders who injected the web miner into the site decided to make a shift from web mining to machine infection in order to install a more persistent cryptominer on victim machines.

A couple of indicators in this incident tell us that despite this being an embassy site, this is not an APT performing a sophisticated attack: The infection is very noisy (the site is essentially not functioning as a result of the attack), and the downloaded file was not particularly tailored to the site (a generic “conference details” name with a blank document opening).

Despite this lack of sophistication, we need to consider the potential of such an attack: An embassy site is, for all intents and purposes, a government site. This attacker was not an APT, but they could have been. The attack may not have been sophisticated, but it could have been. The fact that a non-sophisticated attacker managed to compromise a government site raises even more concern, if anything, and the potential harm under those conditions is much greater than a cryptominer infection.

We contacted the compromised domain and alerted them about the infection, unfortunately at the time of publishing this blog the site remains infected.

Trustwave SWG customers are protected from the malicious document, the malicious payloads and the attempts to communicate with Godzilla C2 server:

Trustwave Secure Web Gateway



Latest SpiderLabs Blogs

The 2023 Retail Services Sector Threat Landscape: A Trustwave Threat Intelligence Briefing

The annual holiday shopping season is poised for a surge in spending, a fact well-known to retailers, consumers, and cybercriminals alike. The latter group, however, is poised to exploit any...

Read More

Pwning Electroencephalogram (EEG) Medical Devices by Default

Overall Analysis of Vulnerability Identification – Default Credentials Leading to Remote Code Execution During internal network testing, a document was discovered titled the “XL Security Site...

Read More

Hidden Data Exfiltration Using Time, Literally

I was looking at my watch last week and my attention was moved towards the seconds over at the right of the watch face, incrementing nicely along as you’d expect. Now, I don’t know if I’d just spent...

Read More