DeepPanda in Apparent “Watering Hole” Attack

It looks as though DeepPanda, a group behind a long going persistent attacks, has struck again with another “Watering Hole” attack — and this time, the target of the China-based malicious campaign is none other than the U.S. Government.

Last week the U.S. Department of Labor’s “Site Exposure Matrices (SEM)” page, which contains information related to the U.S. Department of Energy toxic substances, went offline after reports surfaced that malware embedded on the page was:

1. redirecting visitors to other infected pages within the site
2. launching a script to detect what version of MS-Office, Adobe Reader, Java and anti-virus a visitor was running
3. deploying attack code that would exploit a hole in older version of IE (which has now been patched by Microsoft)
4. infected victim’s computer communicates with a command-and-control server via a known DeepPanda protocol

Though the U.S. Government has yet to comment on this – and, in fact, the SEM site is still offline — experts were quick to point out the chilling dangers of this kind of “drive-by download” attack, which requires that visitors merely visit a website in order to be victimized. They don’t have to download anything, open up a seemingly harmless email, or do anything else that keeps corporate IT security teams awake at night and/or panicked in the day.

The move towards U.S. Government targets may or may not represent a shift in DeepPanda’s attack tactics. In late 2011, their illicit activities [PDF] focused on deploying Remote Access Trojans (RATs) on Fortune 500 company computers.