Nepalese Government Web Sites Serving Malware
The sites for the National Information Technology Center and the Office of the Prime Minister and Council Minister have been compromised.
According to Websense researchers, two Nepalese government Web sites, those for the country's National Information Technology Center (NITC) and the Office of the Prime Minister and Council Minister, have been hacked and injected with malicious code designed to exploit the Java vulnerability CVE-2012-0507.
"The aim of this injection is to install, through successfully exploiting that Java weakness, a backdoor that is also dubbed 'Zegost' on the systems of visitors to these websites," writes Websense security researcher Gianluca Giuliani.
"That same Java vulnerability was used in attacks earlier this year on Amnesty International and the Institute for National Security Studies in Israel, Websense said," writes Threatpost's Dennis Fisher. "All three of those attacks used code that was taken from a Metasploit module for the Java flaw and researchers said that the backdoors used in the Nepalese and Amnesty attacks connected back to command-and-control servers on the same domain in China."
"Zegost is a common remote administration tool and is capable of logging keystrokes, remote code execution, and stealing and transferring data," writes SecurityWeek.com's Fahmida Y. Rashid. "The backdoor in the Nepalese attacks opened an outbound connection to a remote command-and-control server hosted on 'who.xhhow4.com,' a domain based in China, Giuliani said."