Interestingly, the binary installed on infected machines as part of the attack is signed by a valid certificate issued by VeriSign.
"The main page was injected with a Java JAR file loader which once rendered by the Web browser is executed and attempts to exploit the CVE-2012-0507 vulnerability. The name used for the Java class name ("msf.x.Exploit.class") and the content of the file confirmed that the code was taken from the Metasploit framework" Gianluca Giuliani of Websense said in an analysis of the attack.
"If the exploit code in the JAR file has been successfully executed, the exploit shellcode downloads and runs the executable file named "tools.exe" on the impacted system (MD5: 3c7b7124f84cc4d29aa067eca6110e2f),"
Zegost is a known Remote-Administration Tool(RAT) that's been used in other targeted attacks, specifically in Asia. Once on an infected machine, the backdoor used in the attack on the Nepalese sites initiates an outbound connection to a C&C server hosted on a domain in China at "who.xhhow4.com".
That same Java vulnerability was used in attacks earlier this year on Amnesty International and the Institute for National Security Studies in Israel, Websense said.