Israeli Think-Tank Website Tainted with Malware

Security firm Cyphort reported on 8th September, 2014 stating that the certified website of a significant Israeli body has been hijacked and abused to dispense a malware strain.

Security researchers observed that a malicious file of Javascript has been implanted on the Jerusalem Center for Public Affairs (JCPA) site, a self-regulating research organization focusing on regional diplomacy, Israeli security and cross-border laws. Cyphort said that the cybercriminals have employed the Sweet Orange EK (exploit kit) to push malware into the computers of the visitors of the website by exploiting software vulnerabilities.

Exploits relating to Java and Internet Explorer were employed in the attacks to distribute a data-stealing computer Trojan nicknamed Qbot.

The device is infected and the malware installs its own self into running processes, generates registry logs for persistence and begins collecting system data that it sends back to its C2 (command and control) server.

After that, it monitors victims closely who visit the websites.

Cyphort's research indicates that the campaign undoubtedly appears as a watering hole with APT-style attack and it is eventually designed to steal banking credentials.

Malware targets a long list of prominent banks including Zions Bank, PNC, Sun Trust, Sovereign Bank, J.P.Morgan, Bank of America, Citi Bank, Wells Fargo, TD Bank, Wachovia and many more.

The version of malware which is finally pushed into machines of user has anti-virtual machine besides anti-antivirus identification modules being built inside it. It can embezzle system operating system (OS) install names, dates and product IDs of its victims. Unusually, the malware holds a link to a Wheat Thins promotional ad, popular snack item, indicating that the attackers may deploy some click-fraud to make some more money.

When it comes to protect your websites or your personal devices, there is "No Untouchables" to criminal actors. Any website can be a victim and become infected without even knowing; an innocent music domain can be leveraged to redirect web surfers without detection if ownership of domain-subdomain is not strictly enforced; any Internet users can get infected if they step into the infection chain without proper protection. Cyphort recommended that continuous monitoring and mitigation is the best practice for individuals, website owners and hosting providers to start safely.

» SPAMfighter News - 9/15/2014