US federal agency does not respond to reports that it has been blocked

US federal agency does not respond to reports that it has been blocked

A U.S. federal agency has hosted a backdoor that can provide full visibility and full control over the agency’s network, and the investigators who discovered it have not been able to interact with responsible administrators, security firm Avast said. Thursday.

Avast did not identify the agency other than to say that it is associated with international rights and that, as part of its mandate, it communicates regularly with other US agencies and international governmental and non-governmental organizations. The security firm published a blog post after several unsuccessful attempts to report the findings directly and through US government channels.

Members of the Avast Threat Intelligence team wrote:

While we have no information on the impact of this attack or the actions taken by the attackers, based on our analysis of the files in question, we believe it is reasonable to conclude that the attackers were able to intercept and possibly exfiltrate all local network traffic on this site. organization. This could include information exchanged with other US government agencies and other international governmental and non-governmental organizations (NGOs) focused on international rights. We also have indications that attackers could execute code of their choice in the context of the operating system on infected systems, giving them full control.

Bypass firewalls and network monitoring

The backdoor works by replacing a normal Windows file called oci.dll with two malicious files, one at the beginning of the attack and the other later. The first impostor file implements WinDivert, a legitimate tool to capture, modify or delete network packets sent to or from the Windows network stack. The file allows attackers to download and execute malicious code on the infected system. Avast suspects that the downloader’s primary goal is to bypass firewalls and network monitoring.

In a later stage of the attack, the intruders replaced the fake oci.dll downloader with code that decrypts a malicious file called SecurityHealthServer.dll and loads it into memory. The functions and flow of this second bogus DLL are almost identical to rcview40u.dll, a malicious file that was placed in Spy-Driven Supply Chain Hacks which targeted South Korean organizations in 2018.


“Due to the similarities between this oci.dll and rcview40u.dll, we believe it is likely that the attacker had access to the source code of the three-year-old rcview40u.dll,” wrote the Avast researchers. “The newer oci.dll has minor changes like starting the decrypted file in a new thread instead of a function call which is what rcview40u.dll does. oci.dll was also compiled for the x86-64 architecture, while rcview40u.dll was only compiled for the x86 architecture. “

The net effect of the attack sequence is that the attackers were able to compromise the federal agency’s network in a way that allowed them to run code with the same unrestricted system rights as the operating system and capture any traffic entering or leaving the networks. infected machines.

Because officials at the compromised agency did not connect with Avast researchers, they cannot be sure what the attackers were doing within the network. But the implications are clear.

“It is reasonable to assume that some form of data collection and exfiltration of network traffic occurred, but that is informed speculation,” the researchers wrote. “Additionally, because this could have provided full network visibility and complete control of an infected system, there is reasonable speculation that this could be the first step in a multi-stage attack to penetrate this or other more networks. deep into a classic APT -type operation. “

Leave a Reply

Your email address will not be published.