Hacktivists Get Serious with Remote Code Malware

Posted on

Security experts are warning of a new hacktivist campaign which goes further than merely defacing websites, by linking to malware which could allow for remote code execution by an attacker.

The group in question claims to be part of the ‘AnonGhostTeam’ collective which has targeted government and mass media sites in the past, Zscaler security researcher Chris Mannon explained in a blog post.

However, unlike those simple defacements, a recent batch of compromised sites contains a malicious link in the defacement message to a “lulz.htm” page. This apparently contains obfuscated JavaScript code which then leads users to a Dokta Chef Exploit Kit (EK) hosting site.

“This appears to be a new tactic whereby a hacktivist group has escalated their activities by attacking users who visit defaced sites,” said Mannon.

“This is out of character for such groups that generally seem more interested in disrupting private sector compliance with government entities, than targeting end users.”

Dokta was serving up a malicious payload for recently disclosed Microsoft vulnerability CVE-2014-6332, which was fixed earlier this month with bulletin MS14-064.

Hacktivists Get Serious with Remote Code Malware

This can cause remote code execution if the victim visits a specially crafted webpage using Internet Explorer. The flaw is triggered when IE improperly accesses Object Linking and Embedding (OLE) objects in the memory, Mannon explained.

The attackers are focusing only on 32-bit Windows users and IE, with the exploit code crafted to ensure the cycle is terminated if it’s detected that the machine is not using IE or Windows, or is a 64-bit system.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s