Watering Hole Attacks, case study and analysis

Monnappa K A

Disclaimer

The Content, Demonstration, Source Code and Programs

presented here is "AS IS" without any warranty or conditions

of any kind. Also the views/ideas/knowledge expressed here are

solely of the mine and nothing to do with the company or the

organization in which I am currently working.

However in no circumstances neither I or SecurityXploded is

responsible for any damage or loss caused due to use or misuse

of the information presented here

Watering Hole Attack

Watering Hole Targeted Campaign

Demo - Analysis of Watering Hole Campaign

References

Contents

Who AM I

Monnappa Member of SecurityXploded Info Security Investigator @ Cisco Reverse Engineering, Malware Analysis, Memory Forensics Email: monnappa22@gmail.com Twitter: @monnappa22 Linkedin: http://in.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8

Watering Hole Attack

Image taken from: http://about-threats.trendmicro.com/RelatedThreats.aspx?language=au&name=Watering+Hole+101

Targeted attack posted by FireEyehttp://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html

Watering Hole Targeted Campaign

Demo

Analysis of Watering Hole Campaign

Exploit LoaderThe malicious html file checks for the presence of IE 10 with adobe flash. If the browser is IE 10 with flash installed then it loads a malicious flash file (Tope.swf)

Malicious Flash ObjectFlash triggers the exploit and downloads an image file (.jpg)

Image file is a png file

The image file downloaded is not a JPEG file (even though the extension is .jpg) but a PNG file, the below screenshot shows the file header which confirms its be a PNG file

Image file used in the attackThe below screenshot shows the image file that was used in the attack.

Image file contains additional data

The end of the PNG file contains additional data, this embedded data is the xor encoded (with key 0x95) payload starting at offset 0x8de1 (36321)

Script to extract and decode content

Simple script to extract and decode the additional content starting at offset 0x8de1 (36321).

First PE file in Decoded content

Decoded content contains two embedded PE files. The below screenshot show the presence of first PE file at offset 0xc (12)

Second PE file in Decoded content

The below screenshot show the presence of second PE file at offset 0xA40C (41996)

Script to extract PE files

Below snippet of code extracts the two PE files starting at offset 0xc (12) and 0xA40C (41996) and saves it to files "malware1.bin" and "malware2.bin" respectively.

Extracted PE files

The first extracted PE file is a DLL and the Second PE file is a an EXE file (which is ZXShell backdoor) as shown below.

ZxShell Backdoor

Below screenshot shows the VirusTotal results for the sample (malware2.bin), which is a ZxShell Backdoor

Network traffic of ZxShell Backdoor

After executing the ZxShell Backdoor in the sandbox, the malware makes DNS queries to below malicious domains and connect to it on port 443

http://about-threats.trendmicro.com/RelatedThreats.aspx?language=au&name=Watering+Hole+10

1

http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-

compromises-us-veterans-of-foreign-wars-website.html

http://www.securityweek.com/new-ie-10-zero-day-used-watering-hole-attack-targeting-us-military

http://blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/

References

Question & Answer

Thank you