Hacktivists Get Serious with Remote Code Malware

Security experts are warning of a new hacktivist campaign which goes further than merely defacing websites, by linking to malware which could allow for remote code execution by an attacker.

The group in question claims to be part of the ‘AnonGhostTeam’ collective which has targeted government and mass media sites in the past, Zscaler security researcher Chris Mannon explained in a blog post.

However, unlike those simple defacements, a recent batch of compromised sites contains a malicious link in the defacement message to a "lulz.htm" page. This apparently contains obfuscated JavaScript code  which then leads users to a Dokta Chef Exploit Kit (EK) hosting site.

“This appears to be a new tactic whereby a hacktivist group has escalated their activities by attacking users who visit defaced sites,” said Mannon.

“This is out of character for such groups that generally seem more interested in disrupting private sector compliance with government entities, than targeting end users.”

Dokta was serving up a malicious payload for recently disclosed Microsoft vulnerability CVE-2014-6332, which was fixed earlier this month with bulletin MS14-064.

This can cause remote code execution if the victim visits a specially crafted webpage using Internet Explorer. The flaw is triggered when IE improperly accesses Object Linking and Embedding (OLE) objects in the memory, Mannon explained.

The attackers are focusing only on 32-bit Windows users and IE, with the exploit code crafted to ensure the cycle is terminated if it’s detected that the machine is not using IE or Windows, or is a 64-bit system.

“At the time of research, the end payload was not reachable, but the VirusTotal Scan of the hostname shows a history of dubious activity,” said Mannon.

Hacktivism is nothing new, but this latest campaign represents a menacing new edge to what are usually pretty innocuous attacks.

At the other end of the spectrum, Thursday saw the Syrian Electronic Army compromise several news sites by tampering with the DNS entry for comment platform Gigya.

The attack merely consisted of displaying a message on the affected sites and in some cases redirecting users to an Imgur site hosting an SEA logo.

What’s Hot on Infosecurity Magazine?