The websites of foreign embassies are often where people go to download visa applications and other documents. They are also ripe openings for embedding malware.
Criminal hackers have taken notice. In the case of the Bangladesh Embassy in Cairo, attackers appear to be using the website to mine cryptocurrency, according to research published Wednesday by SpiderLabs, the security team of Chicago-based company Trustwave.
Almost the entire embassy website appears to be compromised, with nearly every attempt to access a URL ending in a request to save a malicious file, the researchers said. Only three of 69 antivirus engines detected the infected website as malicious.
“This level of compromise usually indicates the attacker’s ability to not only upload their own data, but also change the web server’s configuration,” SpiderLabs’ Nikita Kazymirskyi wrote in a blog post.
The hackers appear to have breached the website in October. In January, SpiderLabs noticed a Microsoft Word document hosted on the site with an embedded malicious script. Researchers say the hackers are exploiting a known vulnerability in Word that, according to the National Vulnerability Database, allows for remote code execution.
“It is possible that the intruders who injected the web miner into the site decided to make a shift from web mining to machine infection in order to install a more persistent cryptominer on victim machines,” Kazymirskyi wrote.
The hackers don’t seem to be of the advanced persistent threat variety associated with nation-states, Kazymirskyi wrote: they are noisy and the malicious Word file wasn’t tailored to those browsing the website.
As of Wednesday, the Bangladeshi embassy site was still compromised despite the researchers’ efforts to contact the hosts, SpiderLabs said.