View
538
Download
0
Category
Preview:
DESCRIPTION
Presented by Monnappa in our quarterly system security meet. visit: http://www.securitytrainings.net for more information.
Citation preview
Watering Hole Attacks, case study and analysis
Monnappa K A
Disclaimer
The Content, Demonstration, Source Code and Programs
presented here is "AS IS" without any warranty or conditions
of any kind. Also the views/ideas/knowledge expressed here are
solely of the mine and nothing to do with the company or the
organization in which I am currently working.
However in no circumstances neither I or SecurityXploded is
responsible for any damage or loss caused due to use or misuse
of the information presented here
Watering Hole Attack
Watering Hole Targeted Campaign
Demo - Analysis of Watering Hole Campaign
References
Contents
Who AM I
Monnappa Member of SecurityXploded Info Security Investigator @ Cisco Reverse Engineering, Malware Analysis, Memory Forensics Email: monnappa22@gmail.com Twitter: @monnappa22 Linkedin: http://in.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8
Watering Hole Attack
Image taken from: http://about-threats.trendmicro.com/RelatedThreats.aspx?language=au&name=Watering+Hole+101
Targeted attack posted by FireEyehttp://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html
Watering Hole Targeted Campaign
Demo
Analysis of Watering Hole Campaign
Exploit LoaderThe malicious html file checks for the presence of IE 10 with adobe flash. If the browser is IE 10 with flash installed then it loads a malicious flash file (Tope.swf)
Malicious Flash ObjectFlash triggers the exploit and downloads an image file (.jpg)
Image file is a png file
The image file downloaded is not a JPEG file (even though the extension is .jpg) but a PNG file, the below screenshot shows the file header which confirms its be a PNG file
Image file used in the attackThe below screenshot shows the image file that was used in the attack.
Image file contains additional data
The end of the PNG file contains additional data, this embedded data is the xor encoded (with key 0x95) payload starting at offset 0x8de1 (36321)
Script to extract and decode content
Simple script to extract and decode the additional content starting at offset 0x8de1 (36321).
First PE file in Decoded content
Decoded content contains two embedded PE files. The below screenshot show the presence of first PE file at offset 0xc (12)
Second PE file in Decoded content
The below screenshot show the presence of second PE file at offset 0xA40C (41996)
Script to extract PE files
Below snippet of code extracts the two PE files starting at offset 0xc (12) and 0xA40C (41996) and saves it to files "malware1.bin" and "malware2.bin" respectively.
Extracted PE files
The first extracted PE file is a DLL and the Second PE file is a an EXE file (which is ZXShell backdoor) as shown below.
ZxShell Backdoor
Below screenshot shows the VirusTotal results for the sample (malware2.bin), which is a ZxShell Backdoor
Network traffic of ZxShell Backdoor
After executing the ZxShell Backdoor in the sandbox, the malware makes DNS queries to below malicious domains and connect to it on port 443
http://about-threats.trendmicro.com/RelatedThreats.aspx?language=au&name=Watering+Hole+10
1
http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-
compromises-us-veterans-of-foreign-wars-website.html
http://www.securityweek.com/new-ie-10-zero-day-used-watering-hole-attack-targeting-us-military
http://blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/
References
Question & Answer
Thank you
Recommended