Tweet

We have found evidence that the human rights organization found affected by a website compromise is not the only intended target for the attack.

The website was said to have an iframe that redirected users to another compromised site in Brazil. The site executed a malicious Java applet detected as JAVA_DLOAD.ZZC. JAVA_DLOAD.ZZC leverages a vulnerability in Java CVE-2011-3544 to install TROJ_PPOINTER.SM, which in turn drops BKDR_PPOINTER.SM. BKDR_PPOINTER.SM connects to a certain URL to send and receive commands from the attacker. It is also capable of gathering certain information about the affected system.

Based on our investigation, it seems that the initially reported affected organization is just one of the targets in this attack and that the attack itself is fashioned specifically for the targets. We studied the related files and URLs, and found that the string related to the human rights organization was used as the name for both the inserted folder and file in the compromised Brazilian website:

• hxxp://{BLOCKED}.com.br/cgi-bin/ai/ai.html
• hxxp://{BLOCKED}.com.br/cgi-bin/ai/ai.jar

Furthermore, the code of the file retrieved from the URLs above indicate that it was a payload specifically intended for the said human rights organization, as it has related strings mentioned in its code:

Trend Micro Researcher Nart Villenueve checked on this, and found other folder and file combinations hosted on the same compromised website, but with different strings. This strongly suggests the existence of other targets.

• hxxp://{BLOCKED}.com.br/cgi-bin/hk/hk.html
• hxxp://{BLOCKED}.com.br/cgi-bin/hk/hk.jar
• hxxp://{BLOCKED}.com.br/cgi-bin/so/so.html
• hxxp://{BLOCKED}.com.br/cgi-bin/so/so.jar
• hxxp://{BLOCKED}.com.br/cgi-bin/OM/om.html
• hxxp://{BLOCKED}.com.br/cgi-bin/OM/om.jar

The files retrieved from these URLs also had the same strings in their code, similar to the AI case we’ve explained before. The said malicious files are now also detected as JAVA_DLOAD.ZZC and BKDR_PPOINTER.SM.

Trend Micro products provide protection against this type of attack through the Trend Micro™ Smart Protection Network™ infastructure. Also, Deep Security and OfficeScan™ with Intrusion Defense Firewall (IDF) plug-in protects users through the rule Oracle Java SE Rhino Script Engine Remote Code Execution Vulnerability. Meanwhile, Threat Discovery Appliance (TDA) detects the traffic related to the forwarding of the information obtained by BKDR_PPOINTER.SM as HTTP_REQUEST_PPOINTER.

The home page of the affected human rights organization has been a target at least a couple of times within the past several months, showing how determined cybercriminals are to target the frequent visitors of this site. As of this writing, the site is clean of the malicious code. Site owners of special interest sites catering to particular demographics, organizations or groups of like-minded individuals should be just as cautious about these kinds of attacks as corporations and businesses.