As I announced you on Twitter, this blog post will present targeted attacks who have start mid-September and wasn’t discussed or presented in public. These attacks have end around mid-October.
— Eric Romang (@eromang) December 29, 2012
The Space Foundation is a nonprofit organization that supports the global space industry through information and education programs. It is a resource for the entire space community – industry, national security organizations, civil space agencies, private space companies and the military around the world. It also supports educators, students and journalists with information and education programs.
Reporters Without Borders (RWB) is a French-based international non-governmental organization that advocates freedom of the press and freedom of information. Reporters Without Borders is also known as RSF, and RSF Chinese is a dedicated web site for Chinese news in Chinese language.
The watering hole attack was done through different files and by a dedicated centralized backend named “Jsbug“.
Description of the watering hole attack
“rsf.php” script only provide content if parameter “id=1024” is present. This script load through an iframe call “ie.html” file. “rsf.php” is the equivalent of “exploit.html” in the CVE-2012-4969 0day found in mid-September.
If Windows XP is used, and language is “en-us“, “zh-cn“, “zh-tw“, “ko” or “ja” (hum hum CVE-2012-4792…), then the vulnerability is triggered.
If Windows 7 is used and Java 6 is installed, then the vulnerability is triggered. A spray base value is provided in the code for Internet Explorer 9 , but “count.php” has filter the targeted browsers.
Once the vulnerability is triggered, “917.exe” (6b4aa596e5a4208371942cdb0e04dfd9) file is installed. This malware is known as “Trojan-Dropper.Win32.Dapato.bscc“.
A interesting point regarding “ie.html” file, this file was dating of 19 September.
Some facts regarding CVE-2012-4969 :
- Vulnerability was discovered exploited in the wild, with a Flash variant, the 14 September.
- Metasploit PoC was provided the 17 September.
- Microsoft Security Advisory MSA-2757760 was published the 17 September.
- Microsoft patch was provided in MS12-063 the 21 September.
But you will see, through the next chapter, that the attack has began the 18 September.
“count2.php” script and Jsbug backend usage
“count2.php” script is loaded in any cases for statistics purposes. This script will create and check two cookies “stat_cookie” and “stat_time“, gather version of Adobe Flash, presence of Oracle Java and HTTP referrer. All these informations are send back to the same script with parameters.
All these informations are stored in a backend named “Jsbug“. This backend is quiet simple, only three menus “Client statistics“, “Report” and “Create Exploit“. The backend doesn’t have any external css or images files, and is typically composed of minimum three PHP scripts.
Login page of the backend is also quiet simplistic, no page title, no text in the page, and this logic of simplicity make it harder to discover through Google searches.
“Client statistics” menu will direct you on a recap page, of all visitors who have load “count2.php“, with OS type, browser type and version, version of Adobe Flash, version of Oracle Java, IP address, HTTP referer, number of visits, first visite and last visite date.
In the case of the Space Foundation watering hole attack, the first date are beginning 18 September.
In the case of RSF Chinese watering hole attack, the first date are beginning 19 September.
These attacks have ended around mid-October.
“Report” menu will direct you on a statistics page, of all visitors.