On November 3, 2015, ZScaler reported that a Chinese government website hosting the Chuxiong Archives, http://www.cxda[.]gov.cn, had been compromised and contained injected code leading to the Angler Exploit Kit. The report stated that the affected website had appeared to be remediated and cleaned within 24 hours; however, upon scanning the website using our own malicious web content detection system, we discovered that in fact, the website remained compromised. At this time, we advise users to not visit the website in the near future, even though it appears to be clear of malicious code.
Based on our analysis, the malicious code injection on http://www.cxda[.]gov.cn has not been removed, but simply placed in a dormant state. After ZScaler published information regarding this compromise, we continuously scanned and monitored the compromised website, as well as other popular websites and potentially related suspicious targets. What we discovered was that many other websites had been compromised in a similar way, where the malicious code had the ability to be placed by the attacker in a dormant or an active state.
For this article, we chose a few of the additionally discovered compromised sites found by our malicious web content detection system and continued to scan them in high frequency. The following diagram shows the vulnerability status of three of these sites over the duration of a day. The markings on the top portion indicate that the site’s malicious code was active during that time slot while the markings on the bottom portion indicate the site was benign, or dormant, during that time slot.
In what appears to be a technique to evade detection or analysis, the injected malicious code has the ability to hides itself when the user-agent or IP address of the request does not meet specific criteria. Attempts to launch requests from different combinations of IP addresses and user agent strings consistently produced different behaviors (benign vs malicious) depending on what was sent.
During our continuous monitoring for a 24-hour period from November 11, 2015 to November 12, 2015, eight days after the Zscaler report, the Chuxiong Archives website consistently presented malicious content injected by an attacker depending on the source IP and user agent. It is believed that if a user were to visit the compromised website a second time following the initial exposure to the malicious code, the site would recognize the source IP and user-agent and simply remain dormant, not exhibiting any malicious behavior. Because of this anti-analysis/evasion technique, it may easily cause the belief that the threat has been remediated, when in reality, it had not.
At the time of this report, using our malicious web content scanning system, we have already discovered more than four thousands additional, similarly compromised websites globally exhibiting the same ability of being able to be dormant or active depending on source IP and user agent. Investigations regarding this campaign on a larger scale are ongoing and a second report detailing the similarly compromised websites will be published in the near future.
[Palo Alto Networks Blog]