Tagsbackdoor, hacking, Malware, security, USA, Vulnerability
Super secure VPN
Minimal data logging
Czech security firm Avast reported that a backdoor was identified in a US federal agency’s network, the United States Commission on International Religious Freedom (USCIRF).
Reportedly, the attackers targeted the agency in an APT-inspired operation and installed a backdoor to compromise its internal network.
Avast Threat Intelligence Team stated that it tried to notify the agency about the intrusion but didn’t receive any favorable response, which is why it decided to disclose its findings. Though Avast didn’t reveal the agency’s name in its report, its representative later disclosed the name.
SEE: Kaspersky spots CIA malware with backdoor capabilities
“We contacted the agency and spoke to its executive director [Erin D. Singshinsuk] in May. We also reached out to the incident response wing of the federal government over the proper channels, providing all the information we had collected over this case, including a malware sample. CISA was [also] one of the agencies we talked to in order to help us reach the victim, [in June],” Avast’s representative stated.
The attack allowed attackers to intercept and exfiltrate all local network traffic on the compromised systems. The attackers gained total network visibility and obtained full control of the system, which they used as the initial step in their multi-stage attack to penetrate the agency’s networks deeply.
According to Avast, the attack was conducted in two stages. The attacker(s) deployed two malicious binaries to enable internet traffic interception, execute the code of their choice, and gain control of the infected system by abusing Windows’ WinDivert packet capturing utility.
Flowchart shared by Avast:
Avast revealed that at the moment, it has information about a few “parts of the attacking puzzle,” and many critical aspects are yet to be discovered. Such as the nature of the initial access vector attackers used to breach the agency’s network, post-exploitation actions sequence, and the breach’s overall impact on the agency.
SEE: Windows finger command abused to download MineBridge backdoor
“It is reasonable to presume that some form of data gathering and exfiltration of network traffic happened, but that is informed speculation. That said, we have no way to know for sure the size and scope of this attack beyond what we’ve seen,” researchers noted.
The backdoor replaces a standard Windows file named oci.dll with two malicious files. One is used in the first stage and the other during the later stage. The first file implements WinDivert, through which the attackers download and execute malicious code on the compromised system, bypass firewalls, and monitor the network.
Researchers identified that during the second stage, the attackers replaced the oci.dll downloader with a code that decrypted a malicious file named SecurityHealthServer.dll, which is then loaded into its memory.
This decryptor is pretty similar to another executable rcview40u.dll identified by Trend Micro in 2018 during the Operation Red Signature supply chain attack targeted against South Korean organizations.
Avast researchers suspect that the attackers who targeted USCIRF had access to the source code of the executable.
Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.
I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism
Get the best stories straight into your inbox!
Don’t worry, we don’t spam
App Store Google News
HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.
Hackread.com is among the registered trademarks of Gray Dot Media Group Ltd. Company registration number 12903776 in regulation with the United Kingdom Companies House. The registered address is 85 Great Portland Street, London, England, W1W 7LT
The display of third-party trademarks and trade names on the site do not necessarily indicate any affiliation or endorsement of Hackread.com. If you click an affiliate link and buy a product or service, we may be paid a fee by that merchant.