The Georbot cyber-spy infection was found in systems being used in governmental ministries, parliament, banks and even NGOs. The purpose of the malware was “collecting sensitive, Confidential Information about Georgian and American security documents,” CERT-Georgia said, and added that it has established a connection with official Russian security agencies.
Georgia worked with the FBI, Department of Homeland Security, US Secret Service, US-CERT, Governmental-CERT-Germany, CERT-Ukraine, CERT-Polska, the Microsoft Cybersecurity Division and various law-enforcement agencies to obtain log files and system images for forensic analysis.
To kick off the campaign, several Georgian news-related sites and government servers were hacked, but the malicious script was injected only in pages where specific information was presented. So, when a reader looked for news about security items in particular (with headlines like, “NATO delegation visits Georgia,” and news about US-Georgian agreements and meetings, and Georgian military news), the machines became victim to malicious code.
“[The] cyberattack was designed very smartly,” CERT said in its analysis. “Various Georgian news-related websites were hacked and modified…and only the persons who was [sic] interested in such information were infected with this advanced threat, despite…security defensive measures and [anti-malware] software used on [the] target’s computer and network systems. [The] threat was highly encrypted and used contemporary stealthy techniques, so that none of [the] security tools could identify it.”
When executed, the malicious botnet took full control of the computer, searching for sensitive words in document files and PDFs. Also, the bug made video and audio captures using the PC’s built-in camera and microphone; the attack was also able to take screenshots. It could send any file from the local hard drive to the remote server, steal certificates, scan the local network to identify other hosts on the same network and execute arbitrary commands on the infected system.
In all, CERT-Georgia found 390 infected computers, suggesting that the keyword-based news targeting was effective. About 70% of them were in Georgia, 5% in the US, and the rest scattered globally.
In terms of countermeasures, CERT-Georgia blocked each of the six command & control (C&C) IP addresses governing Georbot (including those it found were hosted by the Russian Business Network), through the country’s three main ISPs. It also identified all Georgian infected addresses and offered mitigation strategies and cleaning tools to infected agencies and institutions, working with Microsoft, ESET, Snort, Cisco and various blacklists and blocklists to create mitigating tools and signatures.
Security researchers at Alien Vault took a look at the deeper infection method, and found that to compromise the victims, the attackers placed javascript code or iframes into websites leading to exploit code that uses several vulnerabilities, including CVE-2010-0842, CVE-2006-3730, MS06-057 and some Java exploits, Alien Vault researchers found.
Once the exploit code is executed, the payload calc.exe that contains the malware is downloaded from the remote server. The malware uses a custom packer to evade security products. It also uses obfuscation to hide both the configuration values and the API calls.
“The malware uses HTTP to communicate with the C&C server,” Alien Vault noted. “It contains several commands to upload and retrieve information from the victim. It also looks for malware updates every once in a while.”
Alien Vault also published code to detect the malware.
Georgia claims that Russia is behind the attack: “In 2011-2012, during this new cyber espionage attack, we have identified Russian security agencies, once again,” it said. “After that Russian news agencies spread disinformation based on ESET’s report blaming [the] Georgian governmental website (which was hacked) for serving malicious files.”