The FireEye researchers reported uncovering the watering hole attack in a blog post, warning that it uses several atypical techniques to infect its victims' systems.
"Recently, we discovered a new IE zero-day exploit in the wild, which has been used in a strategic web compromise. Specifically, the attackers inserted this zero-day exploit into a strategically important website, known to draw visitors that are likely interested in national and international security policy," read the post.
"The attackers loaded the payload used in this attack directly into memory without first writing to disk – a technique not typically used by advanced persistent threat (APT) actors. This technique will further complicate network defenders' ability to triage compromised systems, using traditional forensics methods."
The attack loads malicious software directly into a computer's memory in a way that bypasses the hard drive, making it more difficult for companies to check using traditional forensic and scanning techniques to find out if their computers have been compromised.
"Through the FireEye Dynamic Threat Intelligence (DTI) cloud, we were able to retrieve the payload dropped in the attack. This payload has been identified as a variant of Trojan.APT.9002 (aka Hydraq/McRAT variant) and runs in memory only. It does not write itself to disk, leaving little to no artefacts that can be used to identify infected endpoints," explained the researchers.
Forensic analysis linked the watering hole attack to a domain used by the hackers behind the DeputyDog campaign. "We have identified relationships between the infrastructure used in this attack and that used in Operation DeputyDog," read the post.
DeputyDog is a hacking campaign discovered in May. It saw hackers target a separate vulnerability in Microsoft Internet Explorer to infect a number of organisations in Japan.
The IE vulnerability is one of many discovered in recent weeks. Prior to it researchers reported uncovering issues in a number of Microsoft products and services, including Windows Server, Lync and Office.
The vulnerabilities are being actively targeted by hackers and Microsoft has issued a temporary fix. Microsoft is expected to release full fixes for the vulnerabilities in its December Patch Tuesday.
No comments:
Post a Comment