Popular Japanese Publisher’s Website led to Gongda Exploit Kit

We recently encountered a website of a major Japanese book publisher and distributor, of books, magazines, comics, movies, and games, injected with a malicious iframe leading to another website hosting an exploit kit.

As far as we know, at least three files on the book publisher’s site were compromised.

 figure1_6.png
Figure 1. Malicious iframe found on publisher’s site

The malicious iframe was present across multiple pages including the homepage. Our telemetry shows the first potential victim visited the site at approximately 22:00 PST on January 5, 2014 (15:00 JST on January 6, 2014). The security issue was not fixed until late on January 8, PST (in the evening of January 9, 2014 JST).

The malicious iframe loads another website, hosting an exploit kit, as soon as a user visits the book publisher’s site. The exploit kit has been identified as Gongda exploit kit, which in this particular attack served exploits for the following five vulnerabilities:

•    Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability (CVE-2012-0507)
•    Microsoft XML Core Services Remote Code Execution Vulnerability (CVE-2012-1889)
•    Oracle Java Runtime Environment Multiple Remote Code Execution Vulnerabilities (CVE-2013-0422)
•    Adobe Flash Player Remote Memory Corruption Vulnerability (CVE-2013-0634)
•    Oracle Java SE Memory Corruption Vulnerability (CVE-2013-2465)  

figure2_4.png
Figure 2. Attack scenario

Upon successful exploitation of the vulnerabilities, Infostealer.Torpplar is downloaded. This malware is tailored to target Japanese users for information stealing purposes. The malware monitors open windows for a list of Japanese websites that include the following:
•    2 online banking sites
•    3 online shopping sites
•    3 Web mail sites
•    3 gaming/video websites
•    14 credit card sites

It is interesting that the malware targets only two online banking sites, one of which is merely a regional bank. Most banks are aware that they are a target of sophisticated malware such as Trojan.Zbot and have implemented additional layers of protection and verification for their online customers. We believe the attacker knows this and intentionally targeted other financially viable sites that have only basic security measures in place.

The stolen information is sent to a predefined website in plain text, which can be easily read if intercepted.

We have the following IPS signatures in place to block exploit attempts dished out by the Gongda exploit kit used in the attack:
 
•    Web Attack: Gongda Exploit Kit Website
•    Web Attack: Gongda Exploit Kit Website 2

In addition to the Infostealer.Torpplar detection, the following AV detections are available for the files associated with this attack:

•    Trojan.Webkit!html
•    Trojan.Malscript
•    Trojan.Maljava
•    Trojan.Swifi

To stay protected, Symantec recommends users to apply the latest patches and keep AV and IPS definitions up-to-date.