14 DAY TRIAL // The Website of the Democratic Party of Hong Kong was compromised and rigged with a zero-day Flash exploit that infects visitors with a piece of information stealing malware.
According to security researchers from Kaspersky Lab, this attack's components were almost identical to those of an earlier one against the website of Amnesty International UK.
A rogue iframe was injected into the English version of dphk.org and pointed to an exploit.html page hosted on the same domain.
The page loaded three different exploits for the CVE-2011-0611 Flash vulnerability that was patched by Adobe earlier this month.
What is interesting about this attack is the method used to deliver the malware. While in most cases the payload is included in the exploit itself, in this one it was cached by the victim's browser in advance and the exploit only had the purpose of running it from the cache folder.
The browsers were tricked into caching the malicious file because it is being served as an image file called newsvine.jp2.
"If one of the malicious flash is successful in downloading and executing the newsvine.jp2 file hosted on the server, it immediately drops a couple of files, pe.dll and srvlic.dll.
"These files are loaded and the delphi component decrypts its more sensitive information in-memory and phones collected information off of the system to loveusa.dyndns-blog.com. The drop server is not active at this point," explains Kaspersky Lab expert Kurt Baumgartner.
In addition to the Amnesty International UK website, the same infection was reported by Symantec on two human rights websites in Hong Kong and the Philippines.
The nature of the targeted sites suggests that this is an attack against human rights activists and democracy supporters in Asia with the malware phoning back to a server in Hong Kong.