CSP-CERT® Security Advisory:
Compromised Website Hosting Malware Which Is Typical to a Watering Hole Attack

by CSP-CERT® Research Science
posted September 2016


CSP CERT® has provided advisory to https://compromised.gov.ph site and as of this date, remediated from the watering hole attack.



CSP CERT® wanted to advise you to an executable that is residing in https://compromised.gov.ph[REDACTED]. When we tried to download the file, it was still there.

The screenshot below, shows current date and time plus the actual download of the file Chronopost-Colis.exe




Compromised URL investigation

Checking the download URL it is actually referenced at http://www.malekal.com[REDACTED] which mentions that the URL https://compromised.gov.ph[REDACTED] is actually being used in a malware spam. The mail as shown on the site:





Notice the link used in the images:

When we tried to go to the URL used in the images, it went through a series of redirects which ultimately led me to the download of the executable file.



Partial Wireshark output



Upon accessing the link it went through, the server replied with a 301 – Moved Permanently which will redirect the browser to another location as specified



The location specified redirects to two sites as shown on the screenshot below. One is done via window.location.href and one is done via iframe.

Partial code of a.html:



URL from iframe not found



Chronopost-Colis.exe from https://compromised.gov.ph/[REDACTED] was downloaded




Malware Analysis

File md5 hash: cd144cdec9f3d28d277a484bb731537f



Checking Virustotal with the md5 hash cd144cdec9f3d28d277a484bb731537f shows a hit and a lot of detections which confirms it’s a malicious file.

https://www.virustotal.com/en/file/ea3049624ea76ac35126a973df1a941ce67f1262af775a161a8be2f67dc7f9a5/analysis/




Network Analysis

Upon execution it tries to connect to resultip.ddns.net

The screenshot below shows the dns query for resultip.ddns.net



It then sends a 69 byte data to the CNC



Which replies with its own 69 byte data



Notice that the first few bytes of both packets are

Malware to CNC: 41 00 00 00 03

CNC to malware: 41 00 00 00 05

Screenshot below shows part of the data communication that are sent and received




Suricata Detection

ET TROJAN Netwire RAT Check-in

ET TROJAN Possible Netwire RAT Client HeartBeat C2

ET TROJAN Netwire RAT Client HeartBeat