Security tools firm, AlienVault has been investigating the US Department of Labor’s Site Exposure Matrices (SEM) website. The site is said to have been injected with malicious code. Since yesterday, every request to the site has included code from a malicious server, the code collects information from the user’s machine and uploads it to the server. According to a blogpost by AlienVault, the server downloads an executable binary to the user’s machine trying to exploit software vulnerable to CVE 2012-4792.
The binary checks for common antivirus programs known to run on machines and tries to disable them. Although AlienVault says that the incident is still under investigation, the security firm notes that techniques used in the attack are similar to one identified sometime back on against a Thailand NGO website. The command-and-control protocol matches a backdoor used by a Chinese team called DeepPanda.