Malware used to attack Department of Labor website,website was attacked to compromise Department of Energy Workers


Department of Labor website was attacked using a malware by exploiting the vulnerabilityInternet Explorer zero day vulnerability was used to compromise the Department of Labor website. The attack looks similar to the attacks, targeting CFR and Chinese Dissidents.

As per FireEye,

This particular exploit checks for OS version, and only runs on Windows XP.the exploit constructs a ROP chain on non-ASLRed msvcrt.dll, and we verified it could also work against IE8 on Windows 7. So we believe there should be some other exploits targeting IE8 on Windows 7.

Invincea reported that the Dept of Labor website was compromised to re-direct to download exploits of IE8 in order to install the Poison Ivy backdoor Trojan. Websites of Apple, Facebook  were attacked by Java zero day vulnerability which is  similar to the current attack on DoL website.

Invincea posted,

the web pages that were compromised on the DoL site are intended for Dept of Energy employees (and their DoL representatives) in dealing with nuclear-related illnesses linked to Dept of Energy facilities.

This does confirm that the attack on DoL was to get or compromise the details of DoE employees. AlienVault reported  that the C&C protocol involved with this attack matches that of Chinese APT DeepPanda that has been previously analyzed by Crowdstrike.

Microsoft was notified about the same and they released a  security advisory for the issue.

Source FireEye,Invincea

Advertisements