Lions at the Watering Hole – The “VOHO” Affair

Categories: Advanced Security,FirstWatch

Collaborative Research by the RSA Advanced Threat Intelligence Team

As part of routine security research, the RSA Advanced Threat Intelligence Team identified a new hacking attack this week that uses a technique that we’ve termed “Watering Hole”.

In the new attack we’ve identified, which we are calling “VOHO”, the methodology relies on “trojanizing” legitimate websites specific to a geographic area which the attacker believes will be visited by end users who belong to the organization they wish to penetrate.   This results in a wholesale compromise of multiple hosts inside a corporate network as the end-users go about their daily business, much like a lion will lie in wait to ambush prey at a watering hole.

The details of the attack are still developing, but what we are aware of so far is as follows:

  1. The victim visits a compromised “watering hole” website
  2. This website, through an injected JavaScript element, redirects the visiting browser to an exploit site.
  3. This exploit site checks that the visiting machine is running a Windows operating system and a version of Internet Explorer, and then exploits the Java client on the visiting host, installing a “gh0st RAT” variant.

Gh0st RAT is a commonly observed Remote Access Trojan that historically has been used by APT attacker groups to perform surveillance and intelligence collection inside networks of interest.  This particular type of operation was documented nicely in the Infowar Monitor’s paper, “Tracking GhostNet”.

Among other capabilities, the gh0st RAT malware has the ability to surreptitiously operate the webcams and microphones on compromised PCs.

Emerging Details:

In the VOHO campaign, the attacker compromised, likely through stolen FTP credentials, a number of legitimate websites.  These websites generally served two geographic areas:

  • Massachusetts
  • Washington, DC

These legitimate websites are geared around commonly accessed services in these industry verticals:

  • Financial Services
  • Technology Services

Based on our initial analysis of server logs, this attack caused approximately 32,000 individual hosts to visit the attack site, inside over 4,000 unique organizations worldwide and across multiple industry verticals including:

  • State and Federal Government
  • Educational Institutions
  • Defense Industrial Base
  • Technology

If successfully compromised the gh0st RAT variant on the infected PC checks into a C2 site at: 58.64.155.59, an IP address located in China.   This IP address has not historically been observed to be involved in malicious activity.

Communication occurs over ports 80, 443, and 53 and initial communication can be recognized via the presence of the string “HTTPS” in the initial payload, although the traffic is not valid HTTPS traffic.

While RSA’s efforts for this investigation are ongoing, individuals and organizations can determine their potential involvement in this attack by looking for traffic to either: 58.64.155.59 (which would originate from a compromised machine) or  Torontocurling.com (which would originate from a machine going through the exploit system).

More information to come!

The RSA Advanced Threat Intelligence Team is a research and analysis organization focused on emerging, sophisticated threats globally.  The RSA team is made up of Principal Researcher Alex Cox; Principal Technologist Jon McNeil; and Consulting Security Engineer Chris Harrington. The team is led by RSA Senior Threat Research and Intelligence Manager Will Gragido.

Will Gragido
Author:

Mr. Gragido possesses over 18 years of information security experience. A former United States Marine, Mr. Gragido began his career in the data communications information security and intelligence communities. After USMC, Mr. Gragido worked within several information security consultancy roles performing and leading red teaming, penetration testing, incident response, security assessments, ethical hacking, malware analysis and risk management program development. Mr.Gragido has worked with a variety of industry leading research organizations including International Network Services, Internet Security Systems / IBM Internet Security Systems X-Force, Damballa, Cassandra Security, HP DVLabs, and now RSA NetWitness. Will has deep expertise and knowledge in operations, analysis, management, professional services & consultancy, pre-sales / architecture and strong desire to see the industry mature and enterprises & individuals become more secure. Will is a long-standing member of the ISC2, ISACA, and ISSA. Mr.Gragido holds the CISSP and CISA certifications, as well as accreditations in the National Security Agency's Information Security Assessment Methodology (IAM) and Information Security Evaluation Methodology (IEM). Additionally, Mr.Gragido is a Faculty Member of the IANS Institute where he specializes in advanced threat, botnet, and malware analysis. Mr.Gragido is a graduate of DePaul University and is currently preparing for graduate school. He is the co-author of Cybercrime and Espionage: An Analysis of Subversive Multi-Vector Threats and is currently hard at work on a new book due out in the summer of 2012.