US Government Site Unwittingly Hosting Malware – NewSky Security

August 31, 2017
Scott Wu

Introduction: With ever improving spam filters and blacklisting employed as security solutions, it is becoming a challenge for attackers to kickstart the first phase of an attack cycle. Often security solutions blacklist an entire range of IP addresses and the potential target is saved from such attack (because the site is blocked before they visit it). To counter this measure, attackers focus on hosting malware in legitimate places, such as Google documents, or websites which are “known/proven clean”. As it turns out, one ideal scenario for an attacker would be to host malware on a government site. If they can successfully do it, it gives them automatic immunity from many website reputation-based blacklisting.

That being said, we observed a malicious JavaScript downloader leading to the Cerber ransomware which was hosted on a US Government site.

Attack Cycle

The entire attack cycle can be put together in the flowchart below which shows how the malware hosted on US Government site leads to Cerber ransomware encryption.

Image 1: Attack flowchart

Obfuscated JavaScript Downloader

To make analysis difficult, the JavaScript contains several functions that add nothing to the code flow but only obfuscate the script.

Image 2: Obfuscation code

The variable of interest here is “tynassi” which has code fragments to launch command prompt which further launches PowerShell.

Image 3: Code fragment to launch CMD

On variable extraction we come across an obfuscated PowerShell command which stores partial commands in a number of variables and joins them and runs using Invoke-Expression. In the second figure we can show the unobfuscated PowerShell to download a gif file from a known malicious site which is actually an executable.

Image 4: Obfuscated code

Image 5: De-obfuscated code

The link is down as of now. However, when we analysed archived data, we found that this particular payload was Cerber ransomware with a SHA256 1f15415da53df8a8e0197aa7e17e594d24ea6d7fbe80fe3bb4a5cd41bc8f09f6.

The executable was a NSIS installer. After unpacking the installer, we extracted the Cerber JSON file configuration by setting a breakpoint on the API CryptImportKey followed by setting another one on the API MapViewOfFile as shown below.

Image 6: Breakpoints set

In the dumped configuration file, we observed the standard Cerber code of “don’t infect if victim uses a given number of languages“, mostly covering CIS countries.

Image 7: Language checks

For a further read of the configuration of this Cerber variant, we have made this file available for public here https://pastebin.com/HAiqH0Wq

Conclusion

On 30th August, we revealed the presence of malware on the US Government site via Twitter, notifying US-CERT simultaneously. We observed that within few hours of this tweet, the malware link was taken down.

Image 8: Notification of malware sent via Twitter

It is unclear how this malware became hosted on the US Government site, whether via hack or the site stored archives of email attachments and it ended up there. Regardless, such links can promote malware propagation.

We have made the indicators of compromise available here: https://pastebin.com/0eAPV7Lc

Blog Authors:

@Ankit Anubhav, Principal Researcher, NewSky Security (@newskysecurity)

Mariano Palomo Villafranca, Malware Analyst Intern, Telefónica Spain (@mpvillafranca94)

  • Security