14 DAY TRIAL // Security experts from Websense noticed that between May 8 and 9 their systems detected a malware infection on the site of Amnesty International UK. During this timeframe, visitors may have been served a version of the infamous Remote Administration Tool Gh0st RAT.
According to the researchers, this is not the first time when the site of Amnesty International UK is hijacked. They found it to be compromised back in 2009, a year later the Hong Kong site also being identified as serving malicious elements.
While analyzing the incident, Websense has found that the injection is similar to the one that affected the site on INSS last week, the Java exploit used in both cases being the one that made the Flashback Trojan become known worldwide.
In this case, once the exploit was successful, an executable file would be downloaded from a remote location to the targeted device.
Once launched, the executable file, called sethc.exe, created a binary file in the Program Files folder.
The most worrying part is that the application is signed by a valid VeriSign digital certificate, which makes it harder to identify as being malicious. While on the surface it may seem innocent enough, the app actually hides Gh0st RAT, a tool that can be used to gain control over an infected computer.
Cybercriminals usually rely on Gh0st RAT to steal files, emails, passwords, and other sensitive data.
The experts warn that the certificate used to sign the malware has not been revoked and the location from which commands are given to the RAT is still active.
Users who visited the site of Amnesty International UK on May 8 or May 9 are advised to check for signs of the infection by utilizing an up-to-date antivirus solution.