Democracy in Hong Kong Under Attack
October 9, 2014
Compromised Pro-Democratic Hong Kong Websites
Warning: Many of these websites may still be compromised and present a risk to visitors. Browse with caution.
Alliance for True Democracy - Hong Kong
The domain name java-se.com is known bad and associated with APT activity. At the time of this post, the domain is hosted on the Japanese IP address 22.214.171.124.
7506 | 126.96.36.199/20 | INTERQ | JP | GMO.JP | GMO INTERNET INC.
Volexity has yet to actually see the contents of the file o.js, as the websites has continuously returned HTTP 403 responses each time it was requested. The file was requested from IP addresses throughout Asia without ever returning valid content. It's unclear if this code is activated at certain times or if there is a whitelist of IPs restricting access to the file to specific targets. This same code has also been observed being served from another Hong Kong website described in the next section.
While examining the ATD website, Volexity also observed that the site had a password protected backdoor webshell placed on it. This is a fairly popular webshell that Volexity has encountered on several occasions when dealing with website compromises. Volexity refers to this shell as the Angel Webshell, named after its default password of "angel". The shell will simply display the text "Password:", a text input box, and a Login button. A screen shot of the webshell as observed on the ATD website can be seen below.
Despite the shell being written in PHP and only displaying a simple Login prompt, it is easy to identify the Angel webshell based on unique components of its viewable HTML source code. The HTML source of this page is displayed in the following image.
While Volexity operates under the assumption attackers have placed webshells on webservers they have compromised, in this particular instance it can be seen with certainty. Attackers will often upload new webshells or add simple China Chopper style modifications to legitimate existing files in an attempt to maintain persistence to these systems.
Democratic Party Hong Kong
In the last week, Volexity also observed both the English and Chinese language websites for the Democratic Party Hong Kong compromised with the same malicious code found ont he ATD website (www.dphk.org | eng.dphk.org). DPHK is a pro-democracy political party in Hong Kong. Like the ATD website, at the time of this writing the DPHK websites are also serving up malicious code, so please browse with caution. During our research for this post, we also became aware of multiple public reports related to the compromise of the DPHK website on both Twitter and via ThreatConnect. Our good friend Claudio Guarnieri posted the following tweet on October 3, 2014
The website of the Democratic Party of Hong Kong has been compromised and still is. Let them know.
It is also worth noting that this is not the first time that the DPHK website has been used in a strategic web compromise. Back in May 2011, Kaspersky Lab reported the website was being leveraged to target users with Flash Exploits. The DPHK appears to be of high value with respect to targeting visitors.
People Power - Hong Kong
Those links, with the exception of the first one, all redirect to exploit pages on the Hong Kong IP address 188.8.131.52.
|URL||Meta Refresh Page|
|hXXp://985.so/bUYj||N/A (HTTP 404)|
These pages load scripts that conduct profiling of the system for various software, plugins, and other related information, as well as load Java exploits designed to install malware on the target system. If successful, the exploits will install either a 32-bit or 64-bit version of the malware. Both files are found within the Java Archives files. Below are details on each of the malware files.
File size: 13824 bytes
MD5 hash: 1befa2c2d1bfc8e87d52871c868f75fe
SHA1 hash: 8f81bb0bfa6b3ebf3ef4ea283b23a5ccae5b6817
Notes: 32-bit version of malware, which beacons to 184.108.40.206:443.
File size: 15872 bytes
MD5 hash: a482a84d13c76b950ce5bc7e75f4edef
SHA1 hash: c0a4b9145e0066f5c1534beddc9c666ea8eb0882
Notes: 64-bit version of malware, which beacons to 220.127.116.11:443.
At the time of this writing, the People Power website is still serving up malicious code. Volexity recommends avoiding this website and/or browsing with caution. Volexity believes a separate group of attackers is responsible for this exploit activity and that they are not affiliated with the java-se.com operations.
The Professional Commons - Hong Kong
The URL in question points to:
This link does not work and will redirect a visitor back to the main page of the website. There does not appear to be any reason for the Professional Commmons website to have a hidden iFrame link randomly placed in the middle of its HTML code. It is suspected that this was a formerly active exploit URL. If it is actually malicious, it is possible the code could be re-activated at any time. Volexity recommend the URL and the Professional Commons website be browsed with caution.
High Profile Compromised Japanese Website
The Japanese Nikkei
7506 | 18.104.22.168/22 | INTERQ | JP | GMO.JP | GMO INTERNET INC.
Live Exploits, Stolen Certificates, and Signed Malware
While tracking this APT activity, Volexity has also come across other seemingly unrelated compromises of websites in Hong Kong and Japan associated with the java-se.com activity. Despite several sites being compromised, the above activity tied to java-se.com did not result in the successful capture of actual exploit code or malware. However, research into other websites and activity involving java-se.com did lead Volexity to live exploits and malware. In particular Volexity came across live exploit code hosted at jdk-7u12-windows-i586.java-se.com on the Japanese IP address 22.214.171.124.
7506 | 126.96.36.199/20 | INTERQ | JP | GMO.JP | GMO INTERNET INC.
As can be seen in the image above, this popup could be misconstrued by a user as an update to Java despite the java-se.com domain and the Publisher being listed as WindySoft. Interestingly the Java Archive being loaded is digitally signed by a certificate issued to WindySoft, an online gaming company from South Korea. We cannot confirm this certificate actually belonged to WindySoft at any point in time, however, there is fairly established precedent of certificates from online gaming companies being used to digitally sign malware and attack tools.
PlugX Strikes Again - Digitally Signed & Using 163.com Blogs
As one might expect, choosing to press the Run button would be bad news for someone presented with this prompt. If one were to click Run from this prompt, it would result in the file css.jpg being download over an encrypted channel from a folder on https://elsa-jp.jp. Note that elsa-jp.jp is a website hosted on the same IP address jdk-7u12-windows-i586.java-se.com and is likely compromised. The file css.jpg is of course not a JPEG file, it is an executable that has been encoded with the single-byte XOR key 0xFF.
File size: 168776 bytes
MD5 hash: b3a9e6548fb3cc511096af4d68b2e745
SHA1 hash: 394703d1240ccd3aaeeef50c212313e3036741b1
Notes: Executable file downloaded by Java Applet that has been encoded with XOR 0x99
Taking a closer look at the resulting executable we have, it turns out it is a newer sample of PlugX. In this particular sample an interesting and notable string was observed:
Also of interest is that as observed from the Java Applet, the executable is also digitally signed by a certificate issued to "WindySoft."
Upon execution the malware sample immediately does a DNS resolution for the following hostname:
The PlugX sample connects to the blog and parses the page for a command for where to connect to next. This is very similar to the method described by FireEye in their blog on Operation Poisoned Hurricane. The primary difference being that the attackers opted to use a 163.com Blog over a Google Code page to embed the command. Taking a closer look at the Blog page the following post is observed:
The primary string to focus on is in the title of the post: DZKSCAAAAJPBBDHDDDOCCDFDFDOCCDBDHDOCHDHDDZJS
Using the same decoding routine describe by Cassidian in a PlugX post of theirs from earlier this year, we can see this command decodes to instruct the malware to connect to a U.S.-based Linode IP address at Hurricane Electric: 188.8.131.52.
6939 | 184.108.40.206/20 | HURRICANE | US | LINODE.COM | LINODE
A look at passive DNS identifies several hostnames that recently resolved to the IP address. The ones that still resolve to the IP are listed below:
These hostnames may be related but at the time of this writing we have not seen them in use in malware and are unable to confirm.
As we have seen for several years now, dissenting groups, especially those seeking increased levels of freedom frequently find themselves targeted for surveillance and information extraction. In the digital age, a strategic web compromise (exploit drive-by) has become a key weapon of choice for to conduct such operations. These types of attacks are far from overt, as a typical target and victim opted to go on their own to what they believe should be a safe and trusted website. In the case of this post, it appears that at least two different attackers were involved in compromising and placing malicious code on Pro-Democratic websites in Hong Kong. This is not the first time and surely will not be the last time that those in favor of democracy in Hong Kong will be targeted. Unfortunately with the level of access and infrastructure the attackers appear to have, this is quite an uphill battle. Continuing to expose these attack is one means that shines light on these attack operations with an aim at putting a dent in their success.