An embassy website compromise that started as a cryptomining operation escalated into downloader drop on visiting computers - allowing attackers to inject various types of malware through full command and control.
The website belonging to the Bangladesh embassy in Cairo initially appeared to have been breached by hackers involved in a cryptocurrency mining operation. According to a new report by security researchers at Trustwave, the Researchers discovered the problem back in October 2018 when they spotted the presence of the CoinImp web miner on the Bangladeshi government website for one of its embassies. The same domain drew their attention again in the beginning of January of 2019, when they once more saw a detection from their monitors for that domain, but this time for a Microsoft Word document with an embedded malicious EPS script.
Attempts to access any of the website’s pages ends with a request to save a file. Researchers said that this is a serious escalation given the types of business and government traffic that tends to visit embassy sites.
The downloaded office document contains an EPS file and exploits a use-after-free vulnerability, CVE-2017-0261.
"It seems that the EPS file was modified at the end of October 2018, which coincides with the timeline of the first infection dates we noticed," said researchers.
"This could, of course, be a coincidence and we can never know the attacker’s intentions with certainty, but it’s possible that after running a wider infection campaigns infecting sites with a web miner, the attacker looked through their victims to find more interesting targets to leverage further."
Once the EPS file is executed two binaries are extracted which exploit CVE-2017-7255, one for each of x86 and x64 architectures, this exploit provides privilege escalation for the execution of the main payload.
Researchers said that a Godzilla loader is dropped. The loader then gathers information about infected machine, checks for internet connectivity by attempting to reach out to Wikipedia.org, and given that connectivity is possible, communicates back with the C2 server.
Once communication is established with the C2 server, further executables can be dropped at the attacker’s will, in this case an additional downloader pulled a cryptominer.
"It is possible that the intruders who injected the web miner into the site decided to make a shift from web mining to machine infection in order to install a more persistent cryptominer on victim machines," said researchers.
Researchers said that they made attempts to contact the compromised domain in an attempt to alert them of the infection, but no response was received prior to the publication of the report.