{ "id": "97aea926-16fd-48c6-9d39-527470d361d6", "created_at": "2026-04-06T00:20:15.04205Z", "updated_at": "2026-04-10T03:36:00.621708Z", "deleted_at": null, "sha1_hash": "aced1deec4e99e43f11e29c9e4e18f5658e55d15", "title": "CNACOM Open Source Exploitation via Strategic Web Compromise", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2655995, "plain_text": "CNACOM Open Source Exploitation via Strategic Web\r\nCompromise\r\nBy Ed Miles\r\nPublished: 2016-12-01 · Archived: 2026-04-05 12:37:45 UTC\r\nIntroduction\r\nSince a full proof of concept for CVE-2016-0189 vulnerability was published on GitHub, Zscaler ThreatLabZ has\r\nbeen closely tracking its proliferation. The first copying of the exploit code we spotted was from the Sundown\r\nexploit kit (EK), followed closely by Magnitude and a resurgent KaiXin EK. In addition to the commoditized\r\nEKs, this exploit code has been leveraged in numerous one-shot and gated web-exploitation campaigns, delivered\r\nthrough a mix of the usual malvertising networks and compromised websites.\r\nThis blog details CNACOM, a web-based campaign that appears to be related to a well-known nation-state actor\r\nmore commonly associated with spear-phishing attacks.\r\nInfection Cycle\r\nFigure 1 - An overview of the campaign's infection flow, highlighting the targeted organizations\r\nhttps://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise\r\nPage 1 of 8\n\nOn November 7, we spotted a malicious injection on the registration page of a major Taiwanese public service\r\nwebsite. An iframe was injected into the footer of the page, which then loaded a unique landing page containing\r\nthe CVE-2016-0189 exploit code.\r\nFigure 2 - An injected iframe with the name \"abc\" redirects visitors to the attack code\r\nThe landing page, hosted on an RHCloud virtual private server (VPS), begins with a nearly identical copy of the\r\nGitHub-published code, though the payload invocation appears to use a sandbox escape via CVE-2015-0116.\r\nhttps://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise\r\nPage 2 of 8\n\nFigure 3 - A VBScript function named \"abc\" uses a combination of CVE-2016-0189 as well as what appears to be CVE-2015-0116 to\r\ngain code execution outside of the Internet Explorer (IE) sandbox\r\nFollowing the exploit code, things get a lot more interesting. The user's external IP address is stored as a string\r\nand an ipToInt() function is defined, followed by a set of subroutines to collect details from the user machine. The\r\ncode gathers the OS version, browser name, version, and language setting, Flash and Java versions, installed\r\nOffice version, and finally the raw User-Agent string from the browser. This is all sent to the RHCloud host via a\r\nGET request. \r\nFigure 4 - The landing page collects many aspects of the user's platform, including MS Office version information\r\nAfter the fingerprinting code, the user's IP address is checked against Taiwanese government network ranges. If\r\nthe user is coming from one of the targeted networks and is using a version of Internet Explorer, exploitation will\r\nbe attempted.\r\nhttps://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise\r\nPage 3 of 8\n\nFigure 5 - The exploitation routine will be triggered for any Internet Explorer version, as long as the user's IP address is in one of the nine\r\ntarget networks\r\nThreatLabZ was able to follow the infection cycle and download a sample that appears to be a variant of the\r\nIXESHE AES malware. IXESHE is a family of backdoor malware known to be utilized by an attack group\r\nidentified by various names including the IXESHE label, APT12, Numbered Panda, and DynCalc.\r\nhttps://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise\r\nPage 4 of 8\n\nFigure 6 - Upper: among other changes seen, the new variant builds stack strings up to 4 bytes at a time. Lower: old variants do it byte-by-byte\r\nUpon execution, the malware gathers the Windows username, hostname, local IP address, and Windows version.\r\nThe hostname is fed to a PJW hash, or ElfHash function to generate a machine ID used in callbacks. The last step\r\nbefore initiating the C\u0026C check-in is to achieve persistence by installing a run key in\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Messenger.\r\nFigure 7 - Simplified decompiled code for the persistence mechanism shows the Run key utilized\r\nThis sample uses almost similar communication techniques as previous variants, with the addition of SSL. In our\r\nobservations, we saw the server present a self-signed certificate with short, random-looking strings in the\r\ninformational fields.\r\nhttps://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise\r\nPage 5 of 8\n\nFigure 8 - A self signed certificate is used for the C\u0026C server\r\nCallback URLs\r\n/CEL%d=%d.cgi?%s - check-in at startup (and after certain C\u0026C reset/error conditions)\r\n/DES%d=%d.cgi?%s - standard beacon, check for command\r\n/RES%d=%d.cgi?%s - response to rsh command\r\n/SDU%d=%d.cgi?%s - error response\r\n/SUS%d=%d.cgi?%s - check-out after receiving shutdown message\r\nAs can be seen above, the callback URLs utilize the same general format: three capital letters denoting the\r\nresponse function or condition, an integer representing the PJW/ElfHash based host ID, an equal sign (\"=\"), a\r\nrandom integer, the string \".cgi?\", and a base64 response blob (which in some cases simply encodes another\r\nrandom integer).  The following regular expression matches this variant's URL path/query components: [CDRS]\r\n[EDU][LSU]\\d+=\\d+\\.cgi\\?[a-zA-Z0-9=\\+\\/]+.\r\nhttps://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise\r\nPage 6 of 8\n\nFigure 9 - A collapsed view of the decompiled C\u0026C command processing code shows handling for multiple input commands and several\r\nresponse types\r\nUnlike many historical IXESHE samples, it appears that this variant doesn't utilize campaign codes embedded in\r\nthe malware itself. This may be due to a more centralized tracking system that only relies on the malware\r\nreporting a machine ID.\r\nConclusion\r\nThis analysis represents a snapshot of recent activity related to the CNACOM campaign. Additionally, we have\r\nidentified an exploitation campaign active in August 2015 that appears to have utilized the HackingTeam Flash\r\nexploit for CVE-2015-5122, though the landing page at that time targeted a different set of Taiwanese government\r\nnetworks. Whether or not the threat actor behind this campaign is actually the group named APT12, the targeting\r\nof Taiwanese government networks and the similarity of this strain to historic IXESHE samples provide strong\r\nreasons for suspicion.\r\nZscaler ThreatlabZ will continue to monitor activity from this group ensuring protection against this threat.\r\nhttps://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise\r\nPage 7 of 8\n\nIndicators of Compromise\r\nFilename: cnacom.exe\r\nSource: cnacom-organied.rhcloud\\.com/cnacom.exe\r\nMD5: ACFA9C664016BFE5DB92557E923744F0\r\nCompile Time: 11/04/2016 11:56:27\r\nHardcoded User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:43.0) Gecko/20100101 Firefox/43.0\r\nC\u0026C: 74.200.214.226\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise\r\nhttps://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise" ], "report_names": [ "cnacom-open-source-exploitation-strategic-web-compromise" ], "threat_actors": [ { "id": "c5f79f58-db78-4cd7-88cf-c029a2199360", "created_at": "2022-10-25T16:07:23.325227Z", "updated_at": "2026-04-10T02:00:04.542909Z", "deleted_at": null, "main_name": "APT 12", "aliases": [ "APT 12", "BeeBus", "Bronze Globe", "CTG-8223", "Calc Team", "Crimson Iron", "DNSCalc", "DynCALC", "G0005", "Group 22", "Hexagon Typhoon", "Numbered Panda" ], "source_name": "ETDA:APT 12", "tools": [ "AUMLIB", "ETUMBOT", "Exploz", "Graftor", "HIGHTIDE", "IHEATE", "IXESHE", "RIPTIDE", "RapidStealer", "Specfix", "THREEBYTE", "bbsinfo", "mswab", "yayih" ], "source_id": "ETDA", "reports": null }, { "id": "d18fe42c-8407-4f96-aee0-a04e6dce219a", "created_at": "2023-01-06T13:46:38.275292Z", "updated_at": "2026-04-10T02:00:02.907303Z", "deleted_at": null, "main_name": "APT12", "aliases": [ "Group 22", "Calc Team", "DNSCalc", "IXESHE", "Hexagon Typhoon", "BeeBus", "DynCalc", "Crimson Iron", "BRONZE GLOBE", "NUMBERED PANDA", "TG-2754" ], "source_name": "MISPGALAXY:APT12", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6a660ea2-1118-404a-9f8f-f0d6a1e9f184", "created_at": "2022-10-25T15:50:23.685924Z", "updated_at": "2026-04-10T02:00:05.364493Z", "deleted_at": null, "main_name": "APT12", "aliases": [ "APT12", "IXESHE", "DynCalc", "Numbered Panda", "DNSCALC" ], "source_name": "MITRE:APT12", "tools": [ "Ixeshe", "RIPTIDE", "HTRAN" ], "source_id": "MITRE", "reports": null }, { "id": "dc0eb4da-1f8c-4f2a-9530-62b0efbb1c35", "created_at": "2025-08-07T02:03:24.608888Z", "updated_at": "2026-04-10T02:00:03.749632Z", "deleted_at": null, "main_name": "BRONZE GLOBE", "aliases": [ "APT12 ", "CTG-8223 ", "DyncCalc ", "Numbered Panda ", "PortCalc" ], "source_name": "Secureworks:BRONZE GLOBE", "tools": [ "Badpuck", "BeepService", "Etumbot", "Gh0st RAT", "Ixeshe", "Mswab", "RAdmin", "Seatran", "SvcInstaller", "Ziyang" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434815, "ts_updated_at": 1775792160, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/aced1deec4e99e43f11e29c9e4e18f5658e55d15.pdf", "text": "https://archive.orkl.eu/aced1deec4e99e43f11e29c9e4e18f5658e55d15.txt", "img": "https://archive.orkl.eu/aced1deec4e99e43f11e29c9e4e18f5658e55d15.jpg" } }