Forcepoint Security experts have  came across a malicious reconnaissance campaign that targets websites. It is unknown what is the intent behind the campaign as of this writing, however, the profile of the targets resembles those that are common targets of Advanced Persistent Threat (APT) actors. As the attack is currently active, it effectively turns compromised sites into attack surfaces against their visitors.

Furthermore, the injections resemble those used by the Turla group, such as those previously documented by Swiss GovCERT last year. In this post, we will share our findings on this campaign’s targets and injected code as well as provide insights to its timeline.

AFFECTED WEBSITES

The majority if the targeted sites were ministry and embassy sites although sites with different profiles were also compromised. Below is a list of the affected sites we have observed:

• Foreign affairs ministries of Kyrgyzstan, Moldova and Uzbekistan
• Embassy sites of Iraq, Jordan, Zambia and Russia
• A political party in Austria
• A government-run, sustainability site in Austria
• A sports association in Austria
• A Somalian news site
• A socialist organization in Spain
• An international cooperation organization based in France
• An African union site
• A road safety site from Ukraine
• An African plant society

Interestingly, all of the targeted embassy sites were embassies located in Washington, D.C., United States.

INJECTION

Target websites were compromised with a code that looks like a web analytics script from the web analytics service, Clicky. A closer look at the code shows that while the Clicky site static.getclicky.com/js was declared in the variable s.src, the same variable is simply overwritten with the actual malicious site hxxp://www.mentalhealthcheck[.]net/update/check.php. The final HTTP request is sent to this site which then responds with Joseph Myers’ Javascript implementation of the MD5 algorithm.

As reported by the Swiss GovCERT, the Turla group is known to use Google Analytics scripts to disguise their malicious code on compromised websites. They then evaluate compromised sites’ visitors, through fingerprinting and an IP target list, before a malicious payload is served. These techniques are strikingly similar to this campaign wherein the injected codes are disguised as a Clicky web analytics script. In addition, the above HTTP response suggests that it is simply used to cover the malicious activity to visitors outside the attackers’ interest.

The actors behind the campaign actively manages the injected scripts. For instance, we have seen them comment out their injected script in a particular site for a certain period and then reactivate it again. Injected scripts are also updated with new malicious sites.