Hackers have compromised a key Tibetan site and loaded it with code that redirects some users to a third-party site that installs an APT-style backdoor.
This assault has affected the site of the Central Tibetan Administration, a website belonging to the Dalai Lama’s government-in-exile, and while Chinese-speaking users visit the site, they’re hit with the code contained in an iframe that redirects them to another site. There, the visitors are then exposed to an exploit that attempts to compromise their machines using a Java vulnerability from 2012.
The attack does not affect English-speaking or Tibetan visitors.
The attack itself is precisely targeted, as an appended, embedded iframe redirects “xizang-zhiye(dot)org” visitors (this is the CN-translated version of the site) to a java exploit that maintains a backdoor payload. The english and Tibetan versions of the website do not maintain this embedded iframe on the Chinese version,
Kurt Baumgartner, a security researcher at Kaspersky Lab, wrote in an analysis of the attack.
“At this point in time, it seems that the few systems attacked with this code are located in China and the US, although there could be more. The Java exploit being delivered is the 212kb “YPVo.jar” (edd8b301eeb083e9fdf0ae3a9bdb3cd6), which archives, drops and executes the backdoor as well. That file is a 397 kb win32 executable “aMCBlHPl.exe” (a6d7edc77e745a91b1fc6be985994c6a) detected as “Trojan.Win32.Swisyn.cyxf”. Backdoors detected with the Swisyn verdict are frequently a part of APT related toolchains, and this one most certainly is.”
The same attacker behind this watering hole assault is also responsible for a similar attack last year. In that one, the attacker was applying a Java vulnerability, Baumgartner said.
Among the things that the Java exploit in this new attack does is disable the policy checks of Java and running the Payload.main method.