Attackers compromised Bangladeshi Embassy website to distribute malicious Word documents

• Attackers compromised Bangladeshi Embassy website to install malware onto visitors’ systems via malicious Word documents.
• Trustwave notified the Bangladeshi Embassy website about the infection, However, the site still remains infected.

What's the issue - Attackers compromised Bangladeshi Embassy website in Cairo to distribute malicious Microsoft Word documents and install malware onto victims’ systems.

The big picture

In January 2019, researchers from Trustwave detected the compromised web site that delivers a malicious Word document whenever a user visited the site.

• Upon examining the website, researchers noted that when users visit the website, it would force download a malicious Word document ‘Conference_Details.docx’, which is embedded with a malicious EPS script.
• Once the malicious Word document is opened, the EPS script exploits the CVE-2017-0261 vulnerability.
• The vulnerability allows attackers to perform remote code execution on the infected computer.
• Once the EPS file is executed, two binaries are extracted which exploits the CVE-2017-7255 vulnerability that provides privilege escalation for the execution of the main payload.
• Finally, the Godzilla loader is dropped.
• The loader then collects information about the infected machine and communicates back with the C&C server.
• Once communication is established with the C&C server, it drops additional payloads.

Worth noting

• Upon examining the compromised website, researchers noted that the attackers' ability does not end with uploading malware, but they could also modify the web server’s configuration.
• Antivirus detection rates for this malicious site were low, only 3 engines including Trustwave, Bitdefender, and Fortinet were able to detect.
• While Trustwave detected the executable as Godzilla loader, VirusTotal detects the executable a password-stealing trojan.

Why it matters - Trustwave notified the Bangladeshi Embassy website about the infection, However, the site still remains infected.

“Despite this lack of sophistication, we need to consider the potential of such an attack: An embassy site is, for all intents and purposes, a government site. This attacker was not an APT, but they could have been. The attack may not have been sophisticated, but it could have been,” Trustwave said in its blog.