Free Beacon Article Redirects to ZeroAccess Rootkit, Fake AV

Update: _Aaron Harison, president of the Center for American Freedom, told Threatpost this morning that the issue has been resolved and the site is no longer serving malware. _****

Hackers have latched on to the NSA surveillance story—literally.

A news story on the outing of whistleblower Edward Snowden posted to the Washington Free Beacon is serving malware redirecting visitors to a malicious site where more malware awaits. The Free Beacon site remains infected, according to Invincea researchers, who said they have contacted the news organization about the attack. The story is being linked to by the popular Drudge Report and it’s likely to have snared a pretty good number of victims so far.

The attack on the Free Beacon is similar to a previous watering hole attack carried out against a number of other Washington, D.C.-based media outlets, including radio station WTOP, Federal News Radio and the site of technology blogger John Dvorak. Invincea researcher Eddie Mitchell wrote on the company’s blog that several other Free Beacon pages are also serving javascript, including the site’s main index page. The javascript drops an iframe that sends traffic offsite to a page hosting the Fiesta Exploit Kit.

“This exploit appears to be the same as used against other media sites to infect readers of these websites and part of a concerted campaign against media sites to infect their visitors by exploiting vulnerabilities in Java,” Mitchell wrote. “

Mitchell cautions that this attack isn’t being detected yet by security companies because signatures associated with the attack are different from previous campaigns.

The Free Beacon attack is infecting users with the ZeroAccess rootkit, as well as scareware. ZeroAccess is a virulent peer-to-peer botnet that has been folded into a number of commercial exploit kits including Blackhole. The malware makes an outbound communication requests to a number of command and control servers including e-zeeinternet[.]com, cinnamyn[.]com and twinkcam[.]net, from where the additional malware is loaded onto victim machines.

A little more than a month ago, the campaigns against WTOP and sister station Federal News Radio were discovered. The exploits targeted Java and Adobe plug-ins and were used to spread scareware. Content on both stations is heavily political and the attacks could have been a jumping off point for a larger attack against federal employees who use the site as a resource. Unlike other watering hole attacks that lead to espionage campaigns against activists or political leaders, this one was serving malware usually associated with the cybercrime.

The Dvorak site was also attacked a month ago and malware was discovered on the site’s WordPress configuration files. Invincea said at the time that it used Internet Explorer with Java and Adobe Reader and Flash plug-ins loaded into the browser and was immediately attacked. The browser was pulling a Java app from the attacker’s site and connecting to one of two Russian domains downloading Amsecure malware, which is part of the Kazy malware family, which is known for ransomware and scareware attacks. Three Java and Reader exploits were discovered on the Dvorak site: CVE-2013-0422; CVE-2009-0927; and CVE-2010-0188. These exploits lead to landing page hosting the Black Hole exploit kit and the Amsecure attacks.