Wednesday, March 12, 2014

LightsOut EK Targets Energy Sector

Late last year, the story broke that threat actors were targeting the energy sector with Remote Access Tools and Intelligence gathering malware.  It would seem that the attackers responsible for this threat are back for more.  This particular APT struck late February between 2/24-2/26.  The attack began as a compromise of a third party law firm which includes an energy law practice known as Thirty Nine Essex Street LLP (www[.]39essex[.]com).  The victim site is no longer compromised, but viewers should show restraint and better browsing practices when visiting.

39essex.com shown as a referral URL to suspicious site.


The compromise leads the victim to another site which provides the attacker with a specific user-agent in the URL field.  The purpose of this is to pass along diagnostics to the attacker so that the proper malicious package is sent to the victim.  This should be taken as a point of identification in administrator logs as this may indicate an attack on your network.

At the time of research, the Java Class file was returning 404.

There are several other locations which show similar activity that are also related to this threat.  Malicious redirects come from IP address 174[.]129[.]210[.]212 should also be taken as suspicious as well as some sites hosted on this domain (aptguide[.]3dtour[.]com).

The URLquery and VirusTotal entries for this IP corroborates the notion that this location played a part in using LightsOut Exploit Kit.  


LightsOut performs several diagnostic checks on the victim's machine to make sure that it can be exploited.  This includes checking the browser and plugin versions.

The deobfuscated Javascript sheds some light on the iframe injection.

More JS Deobfuscation


Checking to see what version of Adobe is installed.

Checking to see if you are IE7.

Checking to see if Java is enabled in the browser.

Ultimately, a payload is delivered from the LightsOut Exploit kit, which attempts to drop a malicious JAR file exploiting CVE-2013-2465. At the time of research, the binary file was no longer available, which suggests that the attack window has now closed for this particular watering hole.  However, other security sources tell us that the site used in the attack is also a known HAVEX RAT CnC.

The recent activity of this threat originating from a site in the energy sector should serve as a warning to those in the targeted industry.  Prior research from other sources tells us that the threat actors involved are highly motivated and agile.  Their motive is to gather intelligence for further attacks, so be on your guard and monitor transaction logs for suspicious activity!

No comments: