How Attackers Target You – Witchcoven Malware

Researchers at FireEye have discovered form of malware that is primarily designed to figure out who the high value targets are.  My guess is that this FORM of malware is far from unique and they say that this particular malware is state sponsored, likely by Russia.  The Witchcoven malware has infected more than a hundred sites and it redirects the user to another, malicious site.  In order for this to happen, those sites had to be compromised to insert the bit of code to do the redirection.  Since that bit of code is so small, it might possibly go undetected.  Think of those 100 sites as (uninfected) typhoid carriers.

The site that the user is redirected to contains the bulk of the malware and is controlled by the attacker.  Since this is not a site owned by or known by the infected carrier, they have no idea that this is happening.  This code could be changed every day if the attacker desires, since the attacker owns the site.  Likely, this site would be registered in a non-friendly country and may be hosted at a “bullet-proof hoster”.  Those are ISPs that charge a lot of money to the hackers, but which completely ignore law enforcement.  Often they are located in eastern European countries and have (bribed) law enforcement personnel on their staff.

That site likely loads a page silently with no visible signs, runs its script and then closes that invisible window.

Using data that your browser coughs up, the malware can decide if you are a target of interest and if you are, insert a persistent cookie on your computer (one which is hard to or nearly impossible to delete).  It might find out what software is installed on your computer, what browser plugins you have installed, what other sites you have visited, your location as revealed by your IP address (which is not always accurate) and a lot more information.

FireEye has found 14 sites hosting the malicious code and thinks that this bit of malware is targeting diplomats, government officials, military personnel and executives in the US and Europe.  At this point, they have not linked any attacks directly to this data collection effort.  In concept, this is not much different from what advertisers do to web surfers every day.

Unfortunately, there is not an easy way to block this form of attack.  Some anti-malware tools may block these sites once they are known, but since these sites are not actually doing anything malicious, they may not block them.  Think of these sites as the targeting analysts that every military organization has.  They don’t do anything bad, but the drones or bombers that they send – well, that is a different matter.


Information for this post came from SCMagazine.

Leave a Reply

Your email address will not be published.