14 DAY TRIAL // Palo Alto Networks has taken a second look at an infection that affected a Chinese government website and has found out that, despite initial reports that said the malicious campaign stopped, the website managed to fool the security vendor that discovered it into thinking it was taken down.
The campaign was initially spotted by Zscaler on November 3, and affected all users visiting cxda[.]gov[.]cn website. Accessing the site would redirect users to a third-party hosted page where the Angler Exploit Kit would infect victims with the CryptoWall 3.0 ransomware.
Zscaler observed the campaign rage on for 24 hours but said it stopped after that.
After further analysis...
As per Palo Alto Networks' routine of analyzing and monitoring the security threats discovered by other vendors, the company observed that, in spite of Zscaler's initial conclusion, the threat originating from this domain continued to manifest itself, even days after the first sighting, not just 24 hours.
Palo Alto researchers explain this by a "dormant" and "filtering" functionality included in the campaign's malicious code.
Apparently, the attackers deliver the malicious code to targets only the first time they visit the site, as a precautionary measure to avoid analysis and reverse engineering by security researchers.
Additionally, the malicious payload executes only when the site is accessed from specific IP ranges, and to users with particular local software configurations, to maximize the exploit kit's efficiency and probably to save bandwidth in cases where Angler refuses to execute.
Because of this dormant functionality, Palo Alto claims that initial reports of the campaign's shutdown were false.
"At the time of this report, using our malicious web content scanning system, we have already discovered more than four thousands additional, similarly compromised websites globally exhibiting the same ability of being able to be dormant or active depending on source IP and user agent," said Palo Alto's Yuchen Zhou and Wei Xu.
![Active and dormant times for cxda[.]gov.cn](https://news-cdn.softpedia.com/images/news2/compromised-website-fools-security-vendor-continues-to-infect-users-496178-2.jpg "Active and dormant times for cxda[.]gov.cn")