The VOHO campaign: Gh0st RAT spread by water-holing

This campaign was first chronicled by RSA in July, when it coined the phrase ‘water holing’. Now RSA has published a detailed analysis on the water holing VOHO campaign. What at first glance appears to be a fairly common drive-by campaign (where hosts are compromised and victims directed by mass social engineering), VOHO water holing turns out to be an APT-style targeted attack. Carefully selected websites likely to be of interest to the chosen targets are compromised and left – like a predator waiting at the water hole for his prey to visit.

The compromised hosts, says RSA, were largely “involved in business and local governments in Washington, DC and Boston, Massachusetts, as well as organizations involved [in] the development and promotion of democratic process in non-permissive regions. As a whole, these specific TTPs [tools, technique and procedures] have been observed in previous APT attack campaigns, most notably, Aurora and Ghostnet”.

The compromised water holes contained a JavaScript redirect such as: src=“http://www.*******curling.com/Docs/BW06/iframe.js”. Throughout its report, RSA redacts the names of the websites concerned – but leaves sufficient clues for the determined to follow. Brian Krebs has made a separate compelling case for this particular site to be torontocurling.com. The general process would be for visitors to the watering holes to be silently redirected to a number of infected sites which would then attempt to exploit either Microsoft XML Core Services or a Java exploit. If successful, the visitor would be infected with a version of Gh0st RAT.

Water hole attacks are proving particularly successful. Since the target chooses to visit a site of personal interest, he or she does so in a state of trust and without taking any additional precautions. During its investigation RSA noted 32,160 visitors (from 730 organizations) being redirected from the compromised water holes to the malicious sites. Of these, 3,934 of the visitors were “seen to download the exploit CAB and JAR files (indicating a successful exploit/compromise of the visiting host),” notes RSA. “This gives a ‘success’ statistic of 12%, which based on our previous understanding of exploit campaigns, indicates a very successful campaign.”

RSA believes “these websites [the water holes] were likely chosen with exact precision and great consideration; selected from thousands upon thousands of websites due to familiarity and proximity to the targets of interest that the threat actors responsible for the campaign were truly interested in compromising.” Although never explicit, the clear implication is that those threat actors could belong to a nation-state; but they are almost certainly politically motivated. VOHO, concludes RSA, uses an “attack methodology that matches motives seen in past APT attacks – most notably such as those seen in the Aurora and GhostNet campaigns.”

What’s hot on Infosecurity Magazine?