Tuesday, November 15, 2022

Deception at scale: How attackers abuse governmental infrastructure

 Continuing our initiative of sharing VirusTotal’s visibility to help researchers, security practitioners and the general public better understand the nature of malicious attacks, we are proud to announce our “Deception at scale: How attackers abuse governmental infrastructure” report. Here are some of the main ideas presented there:

  • Governmental domains are among the top categories used by attackers in 2022 to distribute malicious content. 

  • We found dozens of government-related domains hosting many kinds of malware, including trojans, ransomware, phishing, coin miners, banking malware, and lateral movement tools.

  • Although some affected domains seem to be victims of opportunistic attacks, there are indicators that some of them were targeted by sophisticated attackers who abused their infrastructure to deploy their toolsets.

  • Using legitimate government domains for malware hosting can enable an attacker to improve the efficiency of social engineering attacks and avoid defenses and alerts based on deny/allow lists.

  • We also found traces of various webshells hosted in dozens of governmental domains. 

  • More generally, we observed an increase of phishing levels in 2022 along with a large distribution of suspicious PDFs. Recently created XLSX files seem to replace DOCX as the preferred mechanism to distribute  malware.

For full details, you can download the report here

In this blog post we will focus on technical hunting and monitoring ideas you can use to prevent such cyberattacks. We also provide additional technical details for some of the most interesting cases we provide in the report.

Domain categories abused by attackers 

Domains and URLs processed by VirusTotal are categorized by third party solutions, this data can typically be found in the “Details” tab:

You can use the following simple query to get domains categorized as, for example, military:

Unfortunately categories among different vendors might vary a lot as they use different criteria and spelling. Roughly speaking, categories can be grouped in two sets: one related to the business activity of the domain and a second one describing the type of threat detected. This is an important point to keep in mind while working on your own VT Intelligence queries.

We can add additional modifiers to our query. For instance the following query gets URLs (instead of domains) following a particular pattern:

We can add search modifiers for HTML content, metadata, and much more. You can find in the following links the whole list of search keywords for domains and URLs.

Each entity could be tagged by multiple categories at the same time, so you can combine them to search in VT Intelligence, below we provide some examples:

  • Malicious activity on CDN domains:

  • Suspicious phishing/malicious URLs/domains:

  • Suspicious Command and Control login URLs:

  • Suspicious waterhole attacks:

  • Sites distributing cracks for video games:

We did our best to unify different criteria to understand what are the top categories distributing malicious content. We were surprised to see Government among top results by number of domains:

Government-related infrastructure

We found several interesting representative examples when analyzing suspicious activity on governmental infrastructure. The following infographic shows top TLDs for government-related suspicious domains we found in VirusTotal in 2022. We decided to exclude non-specific TLDs (such as .com, .net, .org, etc) from this list.

We manually double-checked different cases we found interesting, described below.

Malware hosting

We found all kinds of malicious content hosted by governmental domains, including phishing, downloaders and trojans, ransomware, lateral movement tools, cryptominers and bankers. To obtain a first list to start working with, we used queries similar to the ones described before to find potentially compromised governmental infrastructure, followed by additional filtering and manual checking. 

Below we describe a few cases we found interesting.  

  • A sample of the Coper Android banking trojan was hosted on an Indonesian governmental entity website.

  • Malware with keylogger and screenshot capabilities hosted in a government office website in Bangladesh for around three months, according to telemetry.

  • A Peruvian governmental site hosted a sample of the dangerous njRAT. This particular sample was first seen in November 2021, and the site already cleaned it up at the time of writing the report, however we found more samples active on the same timeframe and using the same C2 server.

We also found traces of targeted attacks and lateral movement tools hosted in some victims.

  • Traces of Mimikatz hosted in a subdomain of a (likely compromised) public hospital in Indonesia.

  • A Cobalt Strike sample hosted in a Sri Lankan governmental entity last July 2022 under a non-suspicious name.

As for Ransomware, a regional governmental domain in the Philippines was found hosting an AgentTesla sample by mid 2021. Attackers seem to have abused a vulnerability in the CMS to deploy their sample under a URL clearly used for social engineering, greatly increasing its potential to spread.

Suspected webshells

We tried to find (potentially compromised) government-related sites hosting webshells. This is not an easy task, so we played with some ideas. For instance, we searched for common names used by webshells in governmental domains detected as suspicious by antivirus engines. We also combined searching for common content in webshell files with antivirus verdicts. Unfortunately, these queries still provided too many false positives, so we had to manually double check them. Below we detail some interesting findings, all found in governmental infrastructure: 

  • This JPG file embeds PHP code inside the comment section. This is an old well known technique that still seems to be effective to avoid antivirus detection.

Most of the URLs distributing this malware ITW listed in the Relations tab have 0 detections, probably legitimate compromised sites.

  • This PHP webshell, presented as a PDF file, was first seen in VirusTotal in 2013. Since then, the malware has been distributed ITW by at least 29 different domains. Interestingly, when crawled by any search engine bot it returns a 404 error value to avoid being indexed.

  • PHP webshells camouflage themselves as images using different techniques. In this case, this webshell adds the GIF89GHZ string at the beginning of the file to mislead filetype detection. The ITW list of URLs distributing this sample is pretty impressive. It also shows that most of the time this webshell is hosted as a GIF image. Its deobfuscated code shows a very simple upload functionality.

  • A simple PHP uploader sometimes hosted as "favicon.ico". The content tab for this webshell in VirusTotal shows the password it expects from operators.

When webshell content is available, we can use it to pivot (by clicking) to other files with the same content (likely more webshells!). By doing this we easily find nine additional files which also provide new password strings to keep pivoting. 

We also found a second encrypted webshell (first seen in 2016 and embedding two base64 Perl scripts) where the encryption password can be found in clear text in the content tab, which is always a great resource for pivoting. 

  • This file contains a trojanized version of AuraCMS, an Indonesian Content Management Service. The webshell can be found under the "files/siswa/be.php" path.

Interestingly, the file contains a disclaimer visible in the content tab


Nevertheless, it contains an obfuscated and encrypted block of code, which can be used to pivot to find other similar samples. The deobfuscated content shows this webshell is capable of file system navigation, local command execution, read/write files, download/upload, mysql interface, list processes, etc. It also includes four different ciphered blocks of code. Two of them create ordinary backdoor connections: $port_bind_bd_pl (perl) and $port_bind_bd_c (C code to compile locally). The other two blocks of code implement reverse shells: $back_connect (perl) and $back_connect_c (C).

  • This webshell is based on the WSO Webshell project (currently removed from Github, but there's a copy of the original repository here). Unfortunately, this is not the only WSO-based webshell we found in governmental domains (another one here). The content tab shows a password and email that will help us find other samples. We can use this information for a content-based VTI query based:

content:{3d2022323132333266323937613537613561373433383934613065346138303166633322} or content:{406d61696c2827686172645f6c696e7578406d61696c2e7275272c2027726f6f74272c2024746d7029}


Compromising government-related infrastructure represents a potential major threat given the implicit trust it represents. All the examples above show traces of both opportunistic and targeted attacks. The lack of regular maintenance seems to be fundamental for many of the observed attacks.

We suggest several ideas to minimize most common risks:
  • Regularly update and maintain government web sites, especially content management systems (CMS), to address vulnerabilities. 

  • Actively monitor government infrastructure for anomalies, such as malware actively communicating with them or subdomains hosting files with malicious verdicts.

  • Regularly scan all hosted files in government infrastructure, especially in subdomains and personal sites. Do not dismiss phishing, as it can be used in social engineering schemes.

  • Assume traffic from trusted domains might be malicious, as the infrastructure can be used to host lateral movement tools or other advanced malicious toolsets.

  • In case of finding anything suspicious, but especially in case of finding webshells or lateral movement tools in the infrastructure, assume compromise and consider a full investigation. 

We hope the examples provided should serve as a heads up towards better security practices when it comes to sensitive infrastructure. We also hope some ideas presented in this blog post will help defenders implement monitoring for their own infrastructure. As usual, we are happy to hear from you

Happy hunting!


Post a Comment