Experts at Zscaler security firm discovered several websites defaced by AnonGhostTeam hacktivists leading to Dokta Chef Exploit Kit and CVE-2014-6332

Many security experts tend to ridicule the threat of hacktivist groups, in many professionals consider the groups that express political dissent through cyber attacks as a harmless threat. Now cyber experts are warning of a new hacktivist campaign managed by the AnonGhostTeam collective that is spreading a malware that allow attackers to gain remote code execution on the infected victims, as explained by Chris Mannon, security expert at Zscaler firm, in a blog post.

The hacktivists belong to the AnonGhostTeam crew is popular to have conducted several hacking campaigns that targeted government and mass media sites in the past.

Mannon explains that the attackers’ activity is not limited to website defacement, several websites recently compromised were used to serve a malware, the hackers in particular used a malicious link in the defacement message to a “lulz.htm” page.

a1

The landing page includes an obfuscated JavaScript code that redirect visitors to a Dokta Chef Exploit Kit (EK) hosting site.

“ During recent research, we found multiple compromised websites containing a malicious link to a “lulz.htm” page, which in turn leads the user to a Dokta Chef Exploit Kit (EK) hosting site. This appears to be  a new tactic whereby a hacktivist group has escalated their activities by attacking users who visit defaced sites. ” states Mannon.

The technique is considered anomalous by the experts because hacktivists usually target government organizations and private business, but never hit end users.

“This is out of character for such groups that generally seem more interested in disrupting private sector compliance with government entities, than targeting end users.” continues Mannon.

The Dokta Chef Exploit Kit (EK) Dokta is becoming popular because is used by hackers to serve a malicious payload for recently disclosed Microsoft vulnerability CVE-2014-6332, which was fixed earlier this November with Microsoft security bulletin MS14-064.

The CVE-2014-6332 vulnerability allows a remote attackers to execute arbitrary code via a crafted web site, the flaw is also known as “Windows OLE Automation Array Remote Code Execution Vulnerability”, WinShock or Unicorn.

“The bug can be used by an attacker for drive-by attacks to reliably run code remotely and take over the user’s machine — even sidestepping the Enhanced Protected Mode (EPM) sandbox in IE 11 as well as the highly regarded Enhanced Mitigation Experience Toolkit (EMET) anti-exploitation tool Microsoft offers for free,” IBM reported in the blog post.

The alleged hacktivists are targeting only users with 32-bit Windows systems and IE, Mannon explained that at the time of investigation the malicious payload was not reachable, but he was anyway able to resume the history of the domain used by attackers through site history on VirusTotal Scan online system.

“At the time of research, the end payload was not reachable, but the VirusTotal Scan of the hostname shows a history of dubious activity.,” said Mannon.

Personally,  I do not think that hacktivists are interested in compromising end users, however, if the attribution is confirmed a plausible explanation for this campaign is the intention of the group to compromise a large number of systems to form a botnet to use in subsequent attacks.

Pierluigi Paganini