Poison Ivy RAT served by compromised Israeli website

The official website of the Israeli Institute for National Security Studies has been compromised and has been found serving a variant of the Poison Ivy remote administration tool (RAT), warns Websense.

As it says on its homepage, the INSS is “an independent academic institute that studies key issues relating to Israel’s national security and Middle East affairs.” Contributing to the institute are a number of “researchers with backgrounds in academia, the military, government, and public policy.”

Given all that, it is safe to say that the individuals visiting the website are likely to have an interest in or be involved with national security, but Websense researchers still say that they can’t confirm that the attack is targeted.

According to them, the website’s homepage has been injected with a malicious Javascript code that loads a Java exploiter for over a week now.

While the page is loading, the users are silently redirected to an exploit page. Once the exploit does what it’s meant to do, a file named svchost.exe is downloaded onto the target computer and run.

The file in question is a Poison Ivy variant, which connects automatically to a dynamic DNS command and control center, and allows attackers to remotely control the targeted computer.

“One of the interesting facts about this infection is that it uses the same Java exploit vector (CVE-2012-0507) that managed to infect around 600,000 Mac users in a massive scatter attack dubbed Flashback a few weeks ago,” the researchers note.

“It’s also worth noting that in the last few months, Israeli websites have been under continuous cyber-based threats and attacks. We don’t think that this latest infection is part of an organized mass infection campaign but is probably just part of that trend.”