Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14


Published on

Presented by Monnappa in our quarterly system security meet. visit: http://www.securitytrainings.net for more information.

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14

  1. 1. Monnappa K A
  2. 2. The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the mine and nothing to do with the company or the organization in which I am currently working. However in no circumstances neither I or SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here
  3. 3.  Watering Hole Attack  Watering Hole Targeted Campaign  Demo - Analysis of Watering Hole Campaign  References
  4. 4. Monnappa  Member of SecurityXploded  Info Security Investigator @ Cisco  Reverse Engineering, Malware Analysis, Memory Forensics  Email: monnappa22@gmail.com  Twitter: @monnappa22  Linkedin: http://in.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8
  5. 5. Image taken from: http://about-threats.trendmicro.com/RelatedThreats.aspx?language=au&name=Watering+Hole+101
  6. 6.  Targeted attack posted by FireEye http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor- compromises-us-veterans-of-foreign-wars-website.html
  7. 7. The malicious html file checks for the presence of IE 10 with adobe flash. If the browser is IE 10 with flash installed then it loads a malicious flash file (Tope.swf)
  8. 8. Flash triggers the exploit and downloads an image file (.jpg)
  9. 9. The image file downloaded is not a JPEG file (even though the extension is .jpg) but a PNG file, the below screenshot shows the file header which confirms its be a PNG file
  10. 10. The below screenshot shows the image file that was used in the attack.
  11. 11. The end of the PNG file contains additional data, this embedded data is the xor encoded (with key 0x95) payload starting at offset 0x8de1 (36321)
  12. 12. Simple script to extract and decode the additional content starting at offset 0x8de1 (36321).
  13. 13. Decoded content contains two embedded PE files. The below screenshot show the presence of first PE file at offset 0xc (12)
  14. 14. The below screenshot show the presence of second PE file at offset 0xA40C (41996)
  15. 15. Below snippet of code extracts the two PE files starting at offset 0xc (12) and 0xA40C (41996) and saves it to files "malware1.bin" and "malware2.bin" respectively.
  16. 16. The first extracted PE file is a DLL and the Second PE file is a an EXE file (which is ZXShell backdoor) as shown below.
  17. 17. Below screenshot shows the VirusTotal results for the sample (malware2.bin), which is a ZxShell Backdoor
  18. 18. After executing the ZxShell Backdoor in the sandbox, the malware makes DNS queries to below malicious domains and connect to it on port 443
  19. 19.  http://about-threats.trendmicro.com/RelatedThreats.aspx?language=au&name=Watering+Hole+101  http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog- actor-compromises-us-veterans-of-foreign-wars-website.html  http://www.securityweek.com/new-ie-10-zero-day-used-watering-hole-attack-targeting-us-military  http://blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/