Revelations from FireEye, Websense, Symantec and Malwarebytes show that the malware, dubbed ‘Operation SnowMan', is being used to hijack victims' computers in a ‘watering hole' attack being waged by the same criminals whose earlier DeputyDog and EphemeralHydra campaigns targeted US government agencies, defence, IT and mining companies and law firms.
SnowMan (aka zero-day bug CVE-2014-0322) was first revealed by FireEye in a 13 February blog post. The company said the malware exploits a previously unknown ‘use-after-free' bug in Internet Explorer 10 and was deployed on 11 February to attack the US Veterans of Foreign Wars (VFW) website in a possible bid to steal military intelligence.
FireEye said that the attack redirected unsuspecting VFW users to a false site, then used the Adobe Flash Player to plant the ZxShell backdoor on them. It could not confirm the number infected, but said it was likely to be around 100 to 1,000 people.
One day later, Symantec confirmed the ultimate purpose of the attack by saying that by exploiting Windows 7, IE10 and Adobe Flash, the malware “takes screenshots of the victim's desktop and allows the attacker to take control of the victim's computer”.
FireEye – which chose the name ‘Operation SnowMan' after the attack happened during a paralysing snowstorm in the US - said: “A possible objective is targeting military service members to steal military intelligence. In addition to retirees, active military personnel use the VFW website.”
FireEye highlighted the cyber spies involved, saying: “The ZxShell backdoor is a widely used and publicly available tool used by multiple threat actors linked to cyber espionage operations. We believe the actors behind this campaign are associated with two previously identified campaigns - Operation DeputyDog and Operation Ephemeral Hydra.”
These campaigns targeted US government agencies, Japanese firms, non-governmental organisations (NGOs) and defence, IT and mining companies, as well as law firms.
Darien Kindlund, manager of threat intelligence at FireEye, told SCMagazineUK.com via email: “We can confirm that the attackers are a threat actor believed to be backed by a nation state, whose goals and objectives appear to be broad-scale intelligence gathering.”
FireEye warned that more attacks are likely, saying: “The proven ability to successfully deploy a number of different private and public remote access Trojans using zero-day exploits against high-profile targets likely indicates that this actor(s) will continue to operate in the mid to long-term.”
Following FireEye's revelations, Websense pitched in to say that on 20 January the same exploit was likely being readied to target the website of GIFAS, the French aerospace industries association whose 300 members include suppliers of civil and military aircraft and helicopters, missiles, armaments, satellites and launch vehicles and other defence and security systems.
Websense said in a 13 February blog that the malware was using the URL ‘hxxp://gifas.assso.net', similar to the ‘gifas.asso.fr' address of GIFAS.
Jason Hill, lead security researcher at Websense, told SCMagzineUK.com: “This exploit may be targeting organisations associated with GIFAS as there's a big similarity between the domain names used. Rather than a typical typosquat, where the malware actors tend to add or transpose characters to the original URL and wait for someone to mistype, this looks like it has been crafted specifically for use as a lure.”
In its blog, Websense agreed that CVE-2014-0322 resembles the DeputyDog and EphemeralHydra operations, saying: “The similarities in the exploit, delivery and search for the EMET.DLL indicate that the same group of threat actors is most likely behind the malicious URL above and the attacks that have been discovered by FireEye.”
Meanwhile, FireEye's Kindlund said: “This is the same exploit used to target the French aerospace industries Association GIFAS, but it is a different group using it.”
Security expert Brian Honan of BH Consulting said the perpetrators are using a classic and effective ‘watering hole' approach.
“The waterhole technique is an attack vector that is widely used when running targeted attacks and can be very successful in compromising selected groups. This technique will most definitely be used again.”
But Honan said it will be difficult to identify the criminals behind SnowMan, DeputyDog and Ephemeral Hydra. “Due to the nature of the internet it is extremely difficult to attribute an attack to a particular party or group. So while we may suspect certain groups, or nations, based on their motives and also on the sophistication of the techniques, it will be difficult to prove it conclusively.”
FireEye said that the attack fails if users have Microsoft's Experience Migration Toolkit (EMET) or have updated to Internet Explorer version 11.
Microsoft advised doing this in a statement issued to journalists, whilst also confirming the bug affects IE version 9: "Microsoft is aware of limited, targeted attacks against Internet Explorer 9 and 10. As our investigation continues, we recommend customers upgrade to Internet Explorer 11 for added protection.”
Jason Hill advised: “As well as having protection against the early stages of the attack chain, companies need to ensure that if they are compromised by an advanced threat they have layered security defences in place to detect and prevent the exfiltration of sensitive intellectual property.”
Meanwhile, Jerome Segura of Malwarebytes said in a 14 February blog post that: “Now that the information has been made public, it is a race between the bad guys and Microsoft - the latter working on a fix and release for its massive user base.”
Segura said Malwarebytes' Anti-Exploit BETA proactively blocks the exploit, requiring no signature or update to its engine. The company has posted a YouTube video clip of the malware being stopped.
Kindlund told SC: “Some antivirus products can detect the remote access Trojan installed, but we do not believe that most of them can detect or prevent the inbound exploits.”