Amnesty International UK website: compromised to serve Gh0st RAT

Between May 8 and 9, 2012, the Websense® ThreatSeeker® Network detected that the Amnesty International United Kingdom website was compromised. The website was apparently injected with malicious code for these 2 days. During that time, website users risked having sensitive data stolen and perhaps infecting other users in their network. However, the website owners rectified this issue after we advised them about the injection. In early 2009, we discovered this same site was compromised, and in 2010, we reported another injection of an Amnesty International website, this time the Hong Kong site.

In the most recent case, we noticed that the exploit vector used was the same Java exploit (detailed in CVE-2012-0507) that has been used worldwide, and which has become somewhat infamous as the cause of the recent massive Mac OS X infection with Flashback

Websense customers are protected from these threats by ACE, our Advanced Classification Engine.

The following is a screen shot of the detected code injection:

                                         

In the screen shot, we can see the similarities between this injection and the INSS injection we reported last week. This clearly shows the use of the Metasploit framework and the precise name of the Java class used. In addition, the associated JAR file is a well-known vector exploit for the CVE-2012-0507, as shown below:

Once the exploit is successful, a file download is initiated for an executable from this URL: "hxxxp://www.48groupclub.org/images/uploads/image/sethc.exe" - MD5 : 3EC4DE9EF2E158473208842F4631236A

 Further analysis shows that when the "sethc.exe" file is executed on the compromised system, it creates a new binary file in the Windows system directory: C:\Program Files\......  

The ruse appears credible because the executable file has been signed by a "valid" certificate authority (CA), as shown below: 

Through further research we learn that this certificate has been in use for a while and does not appear to have been revoked at the time of this latest exploit activity.

Analyzing this low AV detected binary file, we recognize that this is a variant of the well-known Remote Administration Tool Gh0st RAT, which is used mainly in targeted attacks to gain complete control of infected systems. With this control, the remote administrator has access to a user's files, email, passwords, and other sensitive personal information. Following is the initial network capture with Wireshark between a compromised system and the remote administration center, which reveals the header information of the traffic (pay particular attention to the starting keyword "gh0st"), confirming the use of Gh0st RAT:

 The Remote Administration Center commands to the compromised system originate from this address: shell.xhhow4.com. At the time of this writing, the address is still active.

Published by:

CWZ's picture

Name
Reza Rafati

Information
I am the founder of Cyberwarzone.com and I focus on sharing and collecting relevant cyberconflict news., The goal of Cyberwarzone is to provide the world a portal with global cyberwar information. The effort in getting this cyberwarfare information is hard. But as the internet is growing we need to get an global cyberwar & cybercrime monitoring system., By the people and for the people. We will be gathering information about Cybercrime, Cyberwarfare and hacking. LinkedIn: http://www.linkedin.com/pub/reza-rafati-%E2%99%82/1a/98b/197

Country
The Netherlands

My website
Cyberwarzone.com

Twitter:
http://twitter.com/#!/cyberwarzonecom