Nepalese Government Sites hacked and serves Zegost RAT

Researchers have detected that two Nepalese government websites, the National Information Technology Center (NITC) and the Office of the Prime Minister and Council Minister (nitc.gov.np and opmcm.gov.np respectively), have been compromised and serves Zegost(Gh0st RAT) malware.

The site injected with malicious code that tries to exploit the Java vulnerability CVE-2012-0507. After successul exploitation, it will infect the visitor system with the Zegost.

Interestingly, the binary installed on infected machines as part of the attack is signed by a valid certificate issued by VeriSign.

"The main page was injected with a Java JAR file loader which once rendered by the Web browser is executed and attempts to exploit the CVE-2012-0507 vulnerability. The name used for the Java class name ("msf.x.Exploit.class") and the content of the file confirmed that the code was taken from the Metasploit framework" Gianluca Giuliani of Websense said in an analysis of the attack.



"If the exploit code in the JAR file has been successfully executed, the exploit shellcode downloads and runs the executable file named "tools.exe" on the impacted system (MD5: 3c7b7124f84cc4d29aa067eca6110e2f),"

Zegost is a known Remote-Administration Tool(RAT) that's been used in other targeted attacks, specifically in Asia. Once on an infected machine, the backdoor used in the attack on the Nepalese sites initiates an outbound connection to a C&C server hosted on a domain in China at "who.xhhow4.com".


That same Java vulnerability was used in attacks earlier this year on Amnesty International and the Institute for National Security Studies in Israel, Websense said.