Thoufique Haq and Yasir Khalid at FireEye found that the attack makes use of the CVE-2013-1288, MS13-021 vulnerability, and has been used in two hacked Chinese news websites known to promote dissidence against the Chinese government.
“This is clearly a targeted attack on a very narrow portion of the Chinese populous,” the researchers said in a blog post. “However, since cyber-attackers are quick copycats, we expect this exploit to be replicated quickly.”
Based on the similarity in tools, techniques and procedures, the two believe the threat actor is the same as the one behind previous watering hole attacks targeting activists and people with certain political affiliations. In the forensics, “it is evident right away that there are similarities in the URI scheme and the exploit naming convention for Java attacks for the U.S. university and Chinese news site attacks," the noted. "They both use AppletHigh.jar and AppletLow.jar. Similar RAT payloads were used in previous campaigns.”
As for who may be behind the attacks, the only evidence is the fact that they appear to be politically motivated. “In the past this campaign has used various hacked websites such as the Council on Foreign Relations or CFR, Reporters Without Borders, and a leading American university (that we cannot name),” they wrote. “In general, based on our observations, this watering hole attack is like many others we have observed: highly targeted and hard to trace – indicative of a very sophisticated attacker.”
For the attacker, the watering hole approach is highly attractive since it is very difficult to discover the attacker’s identity, the researchers said. “Moreover, this attack is a form of social engineering, leveraging the fact that the target group visits specific websites. By exploiting these watering holes the attacker benefits by investing little time in targeting.”
The attackers are employing a multi-layered approach. Leveraging the zero-day exploits and fresh exploits, they use a hacked website (in this case, a hacked religious website) to host exploit code and the malware payload, and also a second stage of payload, which makes it very hard to trace the origin of the attack. The second stage of payload is encrypted and downloaded from a 404-like response page, and is injected dynamically. This injected second stage payload is a Backdoor PoisonIvy RAT also discovered in other similar watering hole campaigns. This code attempts to connect to a remote server in Hong Kong.
Once they shut down the operation, it’s hard to trace the attacker’s intention.
Also, “It takes tremendous effort to compromise websites relevant to the target group,” said Haq and Khalid. “It would require knowledge of web application security.”
Chinese dissident or not, FireEye urges IE 8 users to install a patch immediately or upgrade their browsers to new versions.