AnonGhost to use Remote Code Execution malware in future hack attacks : Security Researchers Zscaler claims.

If you have read our hack attack posts related to AnonGhost, you may know that this pro-Palestine hacker collective has always been hacking websites with western interests with a intention of defacing them. They have had a pretty successful hacking and defacement campaign as their  past records of hacking 200+ websites in last month including hacking the world body United Nations on 11th November, points out.    However this may not hold true in not so distant future according to the security experts from Zscaler.  Security experts at Zscaler Research are warning that the AnonGhost collective may launch a new hacktivist campaign which goes further than merely defacing websites, by linking to malware which could allow for remote code execution by an attacker.

Security Researcher Chris Mannon points out that they have noticed from the AnonGhost’s recent hack attacks from a recent batch of compromised sites contains a malicious link in the defacement message to a “lulz.htm” page. This apparently contains obfuscated JavaScript code which then leads users to a Dokta Chef Exploit Kit (EK) hosting site. “This appears to be a new tactic whereby a hacktivist group has escalated their activities by attacking users who visit defaced sites,” said Mannon.

AnonGhost to use Remote Code Execution malware in future hack attacks : Zsclaler Research
obfuscated data found by Zscaler in recent AnonGhost hacks

“This is out of character for such groups that generally seem more interested in disrupting private sector compliance with government entities, than targeting end users.”

The sample batch of websites used for research by Zscaler are the latest hacking and defacement exploits by alleged AnonGhost members which include the following websites :

Dokta Chef Exploit kit

The Dokta Chef Exploit Kit uses the recently disclosed Microsoft vulnerability CVE-2014-6322 and can affect all Windows machines which are not patched with the Microsoft update.  The Dokta Exploit serves up a malicious payload for  Microsoft vulnerability CVE-2014-6332, Windows OLE Automation Array Remote Code Execution flaw , which was fixed earlier this month with bulletin MS14-064. .This flaw is already being exploited by a cyber criminal group called APT3 aka UPS.

Zscaler notes that AnonGhost may use this very flaw with Dokta Chef Exploit Kit.  This can cause remote code execution if the victim visits a specially crafted webpage using Internet Explorer. The flaw is triggered when IE improperly accesses Object Linking and Embedding (OLE) objects in the memory, Mannon explained.

Mannon stated that at present the AnonGhost seems to be only focussing on 32-bit Windows users and IE, with the exploit code crafted to ensure the cycle is terminated if it’s detected that the machine is not using IE or Windows, or is a 64-bit system.

“At the time of research, the end payload was not reachable, but the VirusTotal Scan of the hostname shows a history of dubious activity,” said Mannon.

If AnonGhost succeeds in spreading its malware through its hacking campaigns this will give a menacing new edge to what are usually pretty innocuous attacks.