A malware campaign is targeting users on specific Taiwanese government network ranges, using compromised websites and networks to install a backdoor malware, a new variant of IXESHE.
Security firm Zscaler dubbed the entire web-based campaign CNACOM, and said that it appears to be related to APT12, a well-known Chinese government-backed actor more commonly associated with spear-phishing attacks.
On November 7, the Zscaler team spotted a malicious injection on the registration page of a major Taiwanese public service website.
“An iframe was injected into the footer of the page, which then loaded a unique landing page containing the CVE-2016-0189 exploit code,” researchers explained in a technical analysis.
When a user visits the compromised website, the infected iFrame sends the user to an attack landing page, where fingerprinting code confirms that the user is on the targeted network. The user's IP address is checked against Taiwanese government network ranges, and if the user is coming from one of nine targeted networks and is using any version of Internet Explorer, exploitation will be attempted.
Vulnerable users are infected with IXESHE, which collects user information like Windows username, hostname, local IP address and Windows version, and then goes on to establish persistence as a back door.
“IXESHE is a family of backdoor malware known to be utilized by an attack group identified by various names including the IXESHE label, APT12, Numbered Panda, and DynCalc,” Zscaler researchers said. “Unlike many historical IXESHE samples, it appears that this variant doesn't utilize campaign codes embedded in the malware itself. This may be due to a more centralized tracking system that only relies on the malware reporting a machine ID.”
This sample uses almost similar communication techniques as previous variants, with the addition of SSL. The server presents a self-signed certificate with short, random-looking strings in the informational fields.
As for attribution, Zscaler said that it’s similar to an “exploitation campaign active in August 2015 that appears to have utilized the HackingTeam Flash exploit for CVE-2015-5122, though the landing page at that time targeted a different set of Taiwanese government networks. Whether or not the threat actor behind this campaign is actually the group named APT12, the targeting of Taiwanese government networks and the similarity of this strain to historic IXESHE samples provide strong reasons for suspicion.”