AnonGhost to use Remote Code Execution malware in future hack attacks : Security Researchers Zscaler claims.Dokta Chef Exploit kit

Security Researcher Chris Mannon points out that they have noticed from the AnonGhost’s recent hack attacks from a recent batch of compromised sites contains a malicious link in the defacement message to a “lulz.htm” page. This apparently contains obfuscated JavaScript code which then leads users to a Dokta Chef Exploit Kit (EK) hosting site. “This appears to be a new tactic whereby a hacktivist group has escalated their activities by attacking users who visit defaced sites,” said Mannon. “This is out of character for such groups that generally seem more interested in disrupting private sector compliance with government entities, than targeting end users.” The sample batch of websites used for research by Zscaler are the latest hacking and defacement exploits by alleged AnonGhost members which include the following websites : swo.gov.sy syrianpost.gov.sy myisrael.org.il madagascar.gov.mg skynewsinternational.com ccvs.state.vt.us txep.uscourts.gov rsb.wp.mil.pl navy.gov.au igc.mowr.gov.iq embavenez.co.uk libyanembassy-italy.gov.ly

Dokta Chef Exploit kit

The Dokta Chef Exploit Kit uses the recently disclosed Microsoft vulnerability CVE-2014-6322 and can affect all Windows machines which are not patched with the Microsoft update.  The Dokta Exploit serves up a malicious payload for  Microsoft vulnerability CVE-2014-6332, Windows OLE Automation Array Remote Code Execution flaw , which was fixed earlier this month with bulletin MS14-064. .This flaw is already being exploited by a cyber criminal group called APT3 aka UPS. Zscaler notes that AnonGhost may use this very flaw with Dokta Chef Exploit Kit.  This can cause remote code execution if the victim visits a specially crafted webpage using Internet Explorer. The flaw is triggered when IE improperly accesses Object Linking and Embedding (OLE) objects in the memory, Mannon explained. Mannon stated that at present the AnonGhost seems to be only focussing on 32-bit Windows users and IE, with the exploit code crafted to ensure the cycle is terminated if it’s detected that the machine is not using IE or Windows, or is a 64-bit system. “At the time of research, the end payload was not reachable, but the VirusTotal Scan of the hostname shows a history of dubious activity,” said Mannon. If AnonGhost succeeds in spreading its malware through its hacking campaigns this will give a menacing new edge to what are usually pretty innocuous attacks.

AnonGhost to use Remote Code Execution malware in future hack attacks   Zsclaler Research - 87