Security company Avast said on Thursday that a U.S. federal agency has been hosting a backdoor that can provide full visibility and complete control of the agency’s network, and found that its researchers were unable to contact the responsible administrator.
This U.S. International Committee on Religious FreedomIt is related to international rights and regularly communicates with other U.S. agencies and international governments and non-governmental organizations.Security company issued a copy of Blog post After repeated attempts to report the results of the investigation directly and through existing channels of the U.S. government. The post did not name the organization, but a spokeswoman did it in the email. Representatives of the committee did not respond to emails seeking comment.
A member of the Avast Threat Intelligence team wrote:
Although we have no information about the impact of this attack or the actions taken by the attacker, based on our analysis of the relevant documents, we believe that it is reasonable to conclude that the attacker was able to intercept and possibly steal all local network traffic to this organization. This may include information exchanged with other U.S. government agencies and other international governments and non-governmental organizations (NGOs) concerned with international rights. We also have signs that attackers can run code of their choice in the operating system context of the infected system, giving them complete control.
Bypass firewall and network monitoring
The working principle of this backdoor is to replace a normal Windows file named oci.dll with two malicious files-one early in the attack and the other later.Implementation of the first imposter file wind direction, A legitimate tool used to capture, modify, or discard network packets sent to or from the Windows network stack. This file allows the attacker to download and run malicious code on the infected system. Avast suspects that the main purpose of the downloader is to bypass firewalls and network monitoring.
In the later stages of the attack, the intruder replaced the fake oci.dll downloader with code that decrypts a malicious file named SecurityHealthServer.dll and loads it into memory. The function and process of this second fake DLL are almost the same as rcview40u.dll, which is a malicious file. Spy-driven supply chain hackers Attacks against South Korean organizations in 2018.
Avast
“Due to the similarity between this oci.dll and rcview40u.dll, we believe that the attacker may have accessed the source code of rcview40u.dll three years ago,” the Avast researchers wrote. “The newer oci.dll has some subtle changes, such as launching the decrypted file in a new thread instead of in the function call made by rcview40u.dll. oci.dll is also compiled for the x86-64 architecture, and rcview40u.dll Only compiled for x86 architecture.”
The net effect of the attack sequence is that the attackers can disrupt the federal agency network in some way, allowing them to execute code with the same unrestricted system permissions as the operating system, and capture any traffic in and out of the infected machine.
Since officials of the infected agency did not contact the Avast researchers, they were unable to determine what the attacker did inside the network. But its meaning is obvious.
The researcher wrote: “It is reasonable to assume that some form of data collection and network traffic leakage has occurred, but this is an educated guess.” “In addition, because this can provide complete visibility of the network and access to the infected system With complete control, a further reasonable guess is that this may be the first step in a multi-stage attack to penetrate more deeply into classic APT or other network-based operations.”
