Researchers from the security firm Norman have released a report detailing malicious software used in targeted attacks against national security infrastructure and operations in Pakistan, Iran, and the United States, along with other private industries, such as food service, manufacturing, and telecommunications, in attempts to monitor national security operations and steal trade secrets. The sources of the attacks, the malicious software, and the related command-and-control systems are thought to originate from private organizations in India that are unrelated to state or government organizations. Attacks may have begun in September 2010, and elements of the malicious software may have persisted in some environments for months or years.
The HangOver malicious software, also known as Hanove, is distributed mainly through targeted spear-phishing e-mail campaigns. Websites and e-mail messages related to the spear-phishing campaigns contain sophisticated, relevant, and timely cultural and religious content, making users more likely to trust e-mail messages, websites, and links.
HangOver exploits known vulnerabilities for which patches exist. These vulnerabilities are in client applications such as Oracle Java, Microsoft Word, and web browsers. Notably, the malicious software targets the following documented vulnerabilities: Alert 25557
(CVE-2012-0158), Alert 27711
(CVE-2012-4792), and Alert 27845
Once on a system, the malicious software contacts a sophisticated command-and-control infrastructure hosted in India, uploads information about the infected system, and downloads and installs additional malicious software. HangOver persists on the system, scans the system for document files, and uploads those files to command-and-control servers using FTP or HTTP. Requests to command-and-control servers use obfuscated or encoded content in an attempt to bypass egress filtering.
Norman has released the research report publicly at the following link: The Hangover Report
Administrators may consider searching system and access logs for domain names, IP addresses, and MD5 hashes detailed in the Norman report to determine whether the malicious software has infected systems in internal networks.
Users are advised not to open e-mail messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in e-mail messages are safe, they are advised not to open them.