Amnesty International Website Compromised, Serving Up Gh0st RAT

Type threatpost
Reporter Chris Brook
Modified 2013-04-17T16:32:15


Amnesty International’s United Kingdom website was compromised and hosting the potent Gh0st RAT Trojan earlier this week, according to research conducted by security firm Websense.

According to the company’s Security Labs blog, visitors to the site over two days this week, May 8 and 9, may have had sensitive information stolen from their computer, or infected other users in their network.

The vulnerability for the infection stemmed from a popular Java exploit, CVE-2012-050. Hackers exploited that hole and used it to inject the Amnesty International site’s script with malicious code. The Java hole was the same used by Flashback, the much buzzed-about Mac OS X Trojan in recent months.

The malicious code was removed from the site after Websense alerted Amnesty International earlier this week.

Users who visited the site were infected with a malicious downloader that installed the popular commercial malware kit, Gh0st RAT. The Gh0st RAT variant’s executable was signed with a valid certificate from a Shenzhen, China-based technology company, fooling some users into thinking the download was legitimate. If a user installed the kit, an attacker could monitor the infected user’s files, e-mails and passwords, among other confidential information.

Gh0st RAT gained notoriety years ago after it was used by a collection of computers, dubbed GhostNet, to spy on over 1,000 computers worldwide.

This is the second time in roughly six months that a Java hole’s been exploited in Amnesty International’s UK site. Back In December, Barracuda Labs found a Java runtime environment hole being exploited on the site. For more from Websense, head to their blog.