Nation-state likely behind attack on IE zero-day flaw

The website of a U.S. organization specializing in national and international security policy was compromised with malware that targeted a previously unknown vulnerability in Internet Explorer.

[Internet Explorer zero-day attackers linked to Bit9 hackers]

A nation-state looking to compromise the personal computers of specific groups of visitors apparently sponsored the highly sophisticated attack discovered by security vendor FireEye. The campaign had similarities with other high-profile attacks, such as the Bit9 compromise in February.

In the latest attack, the hackers would turn on the exploit built into the website at certain times of the day, in order to target specific groups of visitors, Darien Kindlund, manager of threat intelligence at FireEye, said Monday. The attackers likely studied the website’s access logs to determine who visited the site and when. Kindlund refused to identify the owner of the site.

Malware aimed at the IE flaw was downloaded into visiting computers’ system memory. From there, the malicious code, a variant of Trojan.APT.9002 (aka Hydraq/McRAT), established communications with a command-and-control server.

The use of in-memory malware, which disappears when the infected system is turned off, is a more effective method for hiding an infection than downloading the malicious code onto the hard drive, where it remains until discovered.

By choosing a temporary infection, the hackers of the non-governmental website were apparently trying to prevent someone from discovering the zero-day vulnerability in IE, Kindlund said. The flaw, which has been reported to Microsoft, affects IE 7, 8, 9 and 10.

In order to work quickly to get the information they wanted, the attackers manually controlled the malware to find and download files, similar to how a person would use remote desktop software, Kindlund said. The labor intensiveness of the process is why the attackers tried to limit the number of potential victims.

While the evidence is not definitive, FireEye has found similarities between the latest attack and the Bit9 attack in which hackers had stolen code-signing certificates from the security vendor’s network and dropped malware in the systems of three customers.

FireEye found code similarities in the malware used in both attacks. The latest attack also had within its command-and-control infrastructure some of the same domain names and IP addresses used in a campaign called DeputyDog, which targeted organizations in Japan starting in August. DeputyDog also had some overlapping infrastructure with that used in the Bit9 attack.

In addition, Trojan.APT.9002 was used in a 2010 campaign called Operation Aurora, which targeted Google Gmail accountholders. The hackers were connected to China’s People Liberation Army.

While FireEye had a lot of circumstantial evidence linking all the attacks, it wasn’t enough to say the attackers were the same yet, Kindlund said. “We’re certainly getting there.”

The sophistication of the techniques used in the latest attack point to an operation led by a nation-state, Kindlund said.

[70 percent of business users vulnerable to latest Internet Explorer Zero-Day]

“This takes serious skill and serious resources to be able to pull this off well,” he said. “It’s not something that we typically see deployed by rogue hacking groups that are just contractors-for-hire.”

The techniques used were developed over a period of time, an indication that the campaign was part of a continuous operation. When all the technologies and tactics are put together, the attack is “quite remarkable,” Kindlund said.