watering hole attacks case study analysis
TRANSCRIPT
![Page 1: Watering hole attacks case study analysis](https://reader036.vdocuments.us/reader036/viewer/2022070523/58ed464f1a28abcc268b46e1/html5/thumbnails/1.jpg)
Watering Hole Attacks, case study and analysis
Monnappa K A
![Page 2: Watering hole attacks case study analysis](https://reader036.vdocuments.us/reader036/viewer/2022070523/58ed464f1a28abcc268b46e1/html5/thumbnails/2.jpg)
DisclaimerThe Content, Demonstration, Source Code and Programspresented here is "AS IS" without any warranty or conditionsof any kind. Also the views/ideas/knowledge expressed here aresolely of the mine and nothing to do with the company or theorganization in which I am currently working.
However in no circumstances neither I or Cysinfo isresponsible for any damage or loss caused due to use or misuseof the information presented here
![Page 3: Watering hole attacks case study analysis](https://reader036.vdocuments.us/reader036/viewer/2022070523/58ed464f1a28abcc268b46e1/html5/thumbnails/3.jpg)
Watering Hole Attack
Watering Hole Targeted Campaign
Demo - Analysis of Watering Hole Campaign
References
Contents
![Page 4: Watering hole attacks case study analysis](https://reader036.vdocuments.us/reader036/viewer/2022070523/58ed464f1a28abcc268b46e1/html5/thumbnails/4.jpg)
Who AM I
Monnappa Member of Cysinfo Info Security Investigator @ Cisco Reverse Engineering, Malware Analysis, Memory Forensics Email: [email protected] Twitter: @monnappa22 Linkedin: http://in.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8
![Page 5: Watering hole attacks case study analysis](https://reader036.vdocuments.us/reader036/viewer/2022070523/58ed464f1a28abcc268b46e1/html5/thumbnails/5.jpg)
Watering Hole Attack
Image taken from: http://about-threats.trendmicro.com/RelatedThreats.aspx?language=au&name=Watering+Hole+101
![Page 6: Watering hole attacks case study analysis](https://reader036.vdocuments.us/reader036/viewer/2022070523/58ed464f1a28abcc268b46e1/html5/thumbnails/6.jpg)
Targeted attack posted by FireEyehttp://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html
Watering Hole Targeted Campaign
![Page 7: Watering hole attacks case study analysis](https://reader036.vdocuments.us/reader036/viewer/2022070523/58ed464f1a28abcc268b46e1/html5/thumbnails/7.jpg)
Demo
Analysis of Watering Hole Campaign
![Page 8: Watering hole attacks case study analysis](https://reader036.vdocuments.us/reader036/viewer/2022070523/58ed464f1a28abcc268b46e1/html5/thumbnails/8.jpg)
Exploit LoaderThe malicious html file checks for the presence of IE 10 with adobe flash. If the browser is IE 10 with flash installed then it loads a malicious flash file (Tope.swf)
![Page 9: Watering hole attacks case study analysis](https://reader036.vdocuments.us/reader036/viewer/2022070523/58ed464f1a28abcc268b46e1/html5/thumbnails/9.jpg)
Malicious Flash ObjectFlash triggers the exploit and downloads an image file (.jpg)
![Page 10: Watering hole attacks case study analysis](https://reader036.vdocuments.us/reader036/viewer/2022070523/58ed464f1a28abcc268b46e1/html5/thumbnails/10.jpg)
Image file is a png file
The image file downloaded is not a JPEG file (even though the extension is .jpg) but a PNG file, the below screenshot shows the file header which confirms its be a PNG file
![Page 11: Watering hole attacks case study analysis](https://reader036.vdocuments.us/reader036/viewer/2022070523/58ed464f1a28abcc268b46e1/html5/thumbnails/11.jpg)
Image file used in the attackThe below screenshot shows the image file that was used in the attack.
![Page 12: Watering hole attacks case study analysis](https://reader036.vdocuments.us/reader036/viewer/2022070523/58ed464f1a28abcc268b46e1/html5/thumbnails/12.jpg)
Image file contains additional dataThe end of the PNG file contains additional data, this embedded data is the xor encoded (with key 0x95) payload starting at offset 0x8de1 (36321)
![Page 13: Watering hole attacks case study analysis](https://reader036.vdocuments.us/reader036/viewer/2022070523/58ed464f1a28abcc268b46e1/html5/thumbnails/13.jpg)
Script to extract and decode contentSimple script to extract and decode the additional content starting at offset 0x8de1 (36321).
![Page 14: Watering hole attacks case study analysis](https://reader036.vdocuments.us/reader036/viewer/2022070523/58ed464f1a28abcc268b46e1/html5/thumbnails/14.jpg)
First PE file in Decoded contentDecoded content contains two embedded PE files. The below screenshot show the presence of first PE file at offset 0xc (12)
![Page 15: Watering hole attacks case study analysis](https://reader036.vdocuments.us/reader036/viewer/2022070523/58ed464f1a28abcc268b46e1/html5/thumbnails/15.jpg)
Second PE file in Decoded contentThe below screenshot show the presence of second PE file at offset 0xA40C (41996)
![Page 16: Watering hole attacks case study analysis](https://reader036.vdocuments.us/reader036/viewer/2022070523/58ed464f1a28abcc268b46e1/html5/thumbnails/16.jpg)
Script to extract PE files
Below snippet of code extracts the two PE files starting at offset 0xc (12) and 0xA40C (41996) and saves it to files "malware1.bin" and "malware2.bin" respectively.
![Page 17: Watering hole attacks case study analysis](https://reader036.vdocuments.us/reader036/viewer/2022070523/58ed464f1a28abcc268b46e1/html5/thumbnails/17.jpg)
Extracted PE files
The first extracted PE file is a DLL and the Second PE file is a an EXE file (which is ZXShell backdoor) as shown below.
![Page 18: Watering hole attacks case study analysis](https://reader036.vdocuments.us/reader036/viewer/2022070523/58ed464f1a28abcc268b46e1/html5/thumbnails/18.jpg)
ZxShell Backdoor
Below screenshot shows the VirusTotal results for the sample (malware2.bin), which is a ZxShell Backdoor
![Page 19: Watering hole attacks case study analysis](https://reader036.vdocuments.us/reader036/viewer/2022070523/58ed464f1a28abcc268b46e1/html5/thumbnails/19.jpg)
Network traffic of ZxShell Backdoor
After executing the ZxShell Backdoor in the sandbox, the malware makes DNS queries to below malicious domains and connect to it on port 443
![Page 20: Watering hole attacks case study analysis](https://reader036.vdocuments.us/reader036/viewer/2022070523/58ed464f1a28abcc268b46e1/html5/thumbnails/20.jpg)
http://about-threats.trendmicro.com/RelatedThreats.aspx?language=au&name=Watering+Hole+101
http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html
http://www.securityweek.com/new-ie-10-zero-day-used-watering-hole-attack-targeting-us-military
http://blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/
References
![Page 21: Watering hole attacks case study analysis](https://reader036.vdocuments.us/reader036/viewer/2022070523/58ed464f1a28abcc268b46e1/html5/thumbnails/21.jpg)
Question & Answer
![Page 22: Watering hole attacks case study analysis](https://reader036.vdocuments.us/reader036/viewer/2022070523/58ed464f1a28abcc268b46e1/html5/thumbnails/22.jpg)
Thank you