Search This Blog

Showing posts with label Gh0st RAT. Show all posts

Nepalese Government Sites hacked and serves Zegost RAT

Nepalese Government Sites exploits java vulnerability and infects users system with Zegost malware 

Researchers have detected that two Nepalese government websites, the National Information Technology Center (NITC) and the Office of the Prime Minister and Council Minister (nitc.gov.np and opmcm.gov.np respectively), have been compromised and serves Zegost(Gh0st RAT) malware.

The site injected with malicious code that tries to exploit the Java vulnerability CVE-2012-0507. After successul exploitation, it will infect the visitor system with the Zegost.

Interestingly, the binary installed on infected machines as part of the attack is signed by a valid certificate issued by VeriSign.

"The main page was injected with a Java JAR file loader which once rendered by the Web browser is executed and attempts to exploit the CVE-2012-0507 vulnerability. The name used for the Java class name ("msf.x.Exploit.class") and the content of the file confirmed that the code was taken from the Metasploit framework" Gianluca Giuliani of Websense said in an analysis of the attack.

"If the exploit code in the JAR file has been successfully executed, the exploit shellcode downloads and runs the executable file named "tools.exe" on the impacted system (MD5: 3c7b7124f84cc4d29aa067eca6110e2f),"

Zegost is a known Remote-Administration Tool(RAT) that's been used in other targeted attacks, specifically in Asia. Once on an infected machine, the backdoor used in the attack on the Nepalese sites initiates an outbound connection to a C&C server hosted on a domain in China at "who.xhhow4.com".


That same Java vulnerability was used in attacks earlier this year on Amnesty International and the Institute for National Security Studies in Israel, Websense said.

Spam mail with Gh0st RAT targets Tibet organizations

AlienVault has detected phishing attacks against Tibetan organizations , apparently from Chinese attackers. AlientValut believe these attacks originate from the same group of Chinese hackers that launched the ‘Nitro’ attacks against chemical and defense companies late last year and are aimed at both spying on and stealing sensitive information about these organizations’ activities and supporters.

A phishing email related to Kalachakra Initiation with a Microsoft word attachment targets Tibetan organizations, try to exploit a known Office stack overflow vulnerability (CVE-2010-3333).

After investigating, researchers discovered that the malware being used in this attack is a variant of Gh0st RAT (remote access Trojan), a type of software that enables anything from stealing documents to turning on a victim’s computer microphone.

Gh0st RAT was a primary tool used in the Nitro attacks last year and the variant we uncovered in these attacks seem to come from the same actors. It’s likely that the same group is stealing from major industries as well as infiltrating organizations for political reasons.