Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14
Upcoming SlideShare
Loading in...5
×
 

Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14

on

  • 373 views

Presented by Monnappa in our quarterly system security meet. visit: http://www.securitytrainings.net for more information.

Presented by Monnappa in our quarterly system security meet. visit: http://www.securitytrainings.net for more information.

Statistics

Views

Total Views
373
Views on SlideShare
134
Embed Views
239

Actions

Likes
0
Downloads
20
Comments
0

3 Embeds 239

http://securitytrainings.net 233
http://www.slideee.com 5
http://translate.googleusercontent.com 1

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14 Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14 Presentation Transcript

  • Monnappa K A
  • The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the mine and nothing to do with the company or the organization in which I am currently working. However in no circumstances neither I or SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here
  •  Watering Hole Attack  Watering Hole Targeted Campaign  Demo - Analysis of Watering Hole Campaign  References
  • Monnappa  Member of SecurityXploded  Info Security Investigator @ Cisco  Reverse Engineering, Malware Analysis, Memory Forensics  Email: monnappa22@gmail.com  Twitter: @monnappa22  Linkedin: http://in.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8
  • Image taken from: http://about-threats.trendmicro.com/RelatedThreats.aspx?language=au&name=Watering+Hole+101
  •  Targeted attack posted by FireEye http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor- compromises-us-veterans-of-foreign-wars-website.html
  • The malicious html file checks for the presence of IE 10 with adobe flash. If the browser is IE 10 with flash installed then it loads a malicious flash file (Tope.swf)
  • Flash triggers the exploit and downloads an image file (.jpg)
  • The image file downloaded is not a JPEG file (even though the extension is .jpg) but a PNG file, the below screenshot shows the file header which confirms its be a PNG file
  • The below screenshot shows the image file that was used in the attack.
  • The end of the PNG file contains additional data, this embedded data is the xor encoded (with key 0x95) payload starting at offset 0x8de1 (36321)
  • Simple script to extract and decode the additional content starting at offset 0x8de1 (36321).
  • Decoded content contains two embedded PE files. The below screenshot show the presence of first PE file at offset 0xc (12)
  • The below screenshot show the presence of second PE file at offset 0xA40C (41996)
  • Below snippet of code extracts the two PE files starting at offset 0xc (12) and 0xA40C (41996) and saves it to files "malware1.bin" and "malware2.bin" respectively.
  • The first extracted PE file is a DLL and the Second PE file is a an EXE file (which is ZXShell backdoor) as shown below.
  • Below screenshot shows the VirusTotal results for the sample (malware2.bin), which is a ZxShell Backdoor
  • After executing the ZxShell Backdoor in the sandbox, the malware makes DNS queries to below malicious domains and connect to it on port 443
  •  http://about-threats.trendmicro.com/RelatedThreats.aspx?language=au&name=Watering+Hole+101  http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog- actor-compromises-us-veterans-of-foreign-wars-website.html  http://www.securityweek.com/new-ie-10-zero-day-used-watering-hole-attack-targeting-us-military  http://blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/