14 DAY TRIAL // Malicious code has been infiltrated on four websites dedicated to promoting and defending democracy in Hong Kong.
Researchers at Washington-based Volexity, observed that the websites of the Alliance for True Democracy (ATD), the Democratic Party Hong Kong (DPHK), People Power, and the Professional Commons have been compromised and serve malicious code to their visitors.
Volexity is a security firm that specializes in services touching on incident response and suppression, and digital forensics.
JavaScript pulled from domain known for advanced persistent threat activity
The researchers say that, in the case of ATD and DPHK, a potentially malicious JavaScript code is called from “java-se.com,” a domain Volexity says that “is known bad and associated with APT activity.”
At the time of their writing of the blog post on Thursday, the domain was hosted on a machine in Japan.
ATD also appears to have a backdoor webshell protected by a password. “This is a fairly popular webshell that Volexity has encountered on several occasions when dealing with website compromises,” Steven Adair of Volexity wrote.
The purpose of the webshell is to maintain access to the compromised systems after the malicious code is detected and eliminated.
Java-se.com became known after an APT attack targeting the high-profile Japanese website nikkei.com in early September; a subdomain was compromised and sported a modified JavaScript file that loaded content from the malicious domain.
Malicious iframe used on People Power organization in Hong Kong
The investigation of the researchers led them to the online spot of the political coalition People Power, known for its democratic stance.
After analyzing the website, Volexity discovered that it contained malicious iframes pointing to exploit pages. The bad links have been shortened through the Chinese URL shortening service 985.so.
The researchers found four links of this sort, three of them directing to exploits hosted on a single IP address.
“These pages load scripts that conduct profiling of the system for various software, plugins, and other related information, as well as load Java exploits designed to install malware on the target system. If successful, the exploits will install either a 32-bit or 64-bit version of the malware,” Adair says.
With the website of the Professional Commons, things are a bit blurry because it has been found to contain a suspicious iframe directing to a page on a hotel website in South Korea. However, the landing page does not exist and a redirect to the main page is executed.