C&C server was hosted on an Hong Kong IP address

Nov 24, 2015 22:03 GMT  ·  By

F-Secure, a US-based cyber-security vendor, is reporting on an incident that took place just days before the 3rd ASEAN-United States Summit on 21 November 2015.

According to gathered data, F-Secure is revealing that the US-ASEAN (Association of Southeast Asian Nation) summit's website was compromised by malicious actors.

Security researchers say that the subdomain of the Secretariat Resource Centre (ARC) was affected and that the hackers managed to gain access to the server and added malicious code at the end of a JavaScript file. Additionally, a mirror of the compromised script file was also hosted on a remote IP and loaded as a backup (down now).

When this script was executed in a victim's browser, it would redirect users to the 43.240.119.35 IP (Hong Kong-based), where the "the 3rd ASEAN Defence Ministers’ Meeting.rar" archive was downloaded to the user's PC.

Unpacking this archive would infect the computer with malicious spyware, detected as Backdoor:W32/Wonknu.A.

This is a simple backdoor that masquerades as a Kaspersky antivirus version, but it actually runs from "C:\Programdata\kav.exe."

According to F-Secure's analysis, the backdoor connects to 43.240.119.40:443, from where attackers can launch various commands. The backdoor allows them to fetch local PC details, download or upload files, execute local files, create or delete files, create directories, execute shell commands, list or terminate OS processes.

This particular backdoor was first seen last August, when it was trying to pass itself as a Java executable (Javaw.exe).