watering hole attacks case study analysis
TRANSCRIPT
Watering Hole Attacks, case study and analysis
Monnappa K A
DisclaimerThe Content, Demonstration, Source Code and Programspresented here is "AS IS" without any warranty or conditionsof any kind. Also the views/ideas/knowledge expressed here aresolely of the mine and nothing to do with the company or theorganization in which I am currently working.
However in no circumstances neither I or Cysinfo isresponsible for any damage or loss caused due to use or misuseof the information presented here
Watering Hole Attack
Watering Hole Targeted Campaign
Demo - Analysis of Watering Hole Campaign
References
Contents
Who AM I
Monnappa Member of Cysinfo Info Security Investigator @ Cisco Reverse Engineering, Malware Analysis, Memory Forensics Email: [email protected] Twitter: @monnappa22 Linkedin: http://in.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8
Watering Hole Attack
Image taken from: http://about-threats.trendmicro.com/RelatedThreats.aspx?language=au&name=Watering+Hole+101
Targeted attack posted by FireEyehttp://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html
Watering Hole Targeted Campaign
Demo
Analysis of Watering Hole Campaign
Exploit LoaderThe malicious html file checks for the presence of IE 10 with adobe flash. If the browser is IE 10 with flash installed then it loads a malicious flash file (Tope.swf)
Malicious Flash ObjectFlash triggers the exploit and downloads an image file (.jpg)
Image file is a png file
The image file downloaded is not a JPEG file (even though the extension is .jpg) but a PNG file, the below screenshot shows the file header which confirms its be a PNG file
Image file used in the attackThe below screenshot shows the image file that was used in the attack.
Image file contains additional dataThe end of the PNG file contains additional data, this embedded data is the xor encoded (with key 0x95) payload starting at offset 0x8de1 (36321)
Script to extract and decode contentSimple script to extract and decode the additional content starting at offset 0x8de1 (36321).
First PE file in Decoded contentDecoded content contains two embedded PE files. The below screenshot show the presence of first PE file at offset 0xc (12)
Second PE file in Decoded contentThe below screenshot show the presence of second PE file at offset 0xA40C (41996)
Script to extract PE files
Below snippet of code extracts the two PE files starting at offset 0xc (12) and 0xA40C (41996) and saves it to files "malware1.bin" and "malware2.bin" respectively.
Extracted PE files
The first extracted PE file is a DLL and the Second PE file is a an EXE file (which is ZXShell backdoor) as shown below.
ZxShell Backdoor
Below screenshot shows the VirusTotal results for the sample (malware2.bin), which is a ZxShell Backdoor
Network traffic of ZxShell Backdoor
After executing the ZxShell Backdoor in the sandbox, the malware makes DNS queries to below malicious domains and connect to it on port 443
http://about-threats.trendmicro.com/RelatedThreats.aspx?language=au&name=Watering+Hole+101
http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html
http://www.securityweek.com/new-ie-10-zero-day-used-watering-hole-attack-targeting-us-military
http://blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/
References
Question & Answer
Thank you