Your SlideShare is downloading. ×
Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14

476
views

Published on

Presented by Monnappa in our quarterly system security meet. visit: http://www.securitytrainings.net for more information.

Presented by Monnappa in our quarterly system security meet. visit: http://www.securitytrainings.net for more information.

Published in: Technology, News & Politics

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
476
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
25
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Monnappa K A
  • 2. The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the mine and nothing to do with the company or the organization in which I am currently working. However in no circumstances neither I or SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here
  • 3.  Watering Hole Attack  Watering Hole Targeted Campaign  Demo - Analysis of Watering Hole Campaign  References
  • 4. Monnappa  Member of SecurityXploded  Info Security Investigator @ Cisco  Reverse Engineering, Malware Analysis, Memory Forensics  Email: monnappa22@gmail.com  Twitter: @monnappa22  Linkedin: http://in.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8
  • 5. Image taken from: http://about-threats.trendmicro.com/RelatedThreats.aspx?language=au&name=Watering+Hole+101
  • 6.  Targeted attack posted by FireEye http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor- compromises-us-veterans-of-foreign-wars-website.html
  • 7. The malicious html file checks for the presence of IE 10 with adobe flash. If the browser is IE 10 with flash installed then it loads a malicious flash file (Tope.swf)
  • 8. Flash triggers the exploit and downloads an image file (.jpg)
  • 9. The image file downloaded is not a JPEG file (even though the extension is .jpg) but a PNG file, the below screenshot shows the file header which confirms its be a PNG file
  • 10. The below screenshot shows the image file that was used in the attack.
  • 11. The end of the PNG file contains additional data, this embedded data is the xor encoded (with key 0x95) payload starting at offset 0x8de1 (36321)
  • 12. Simple script to extract and decode the additional content starting at offset 0x8de1 (36321).
  • 13. Decoded content contains two embedded PE files. The below screenshot show the presence of first PE file at offset 0xc (12)
  • 14. The below screenshot show the presence of second PE file at offset 0xA40C (41996)
  • 15. Below snippet of code extracts the two PE files starting at offset 0xc (12) and 0xA40C (41996) and saves it to files "malware1.bin" and "malware2.bin" respectively.
  • 16. The first extracted PE file is a DLL and the Second PE file is a an EXE file (which is ZXShell backdoor) as shown below.
  • 17. Below screenshot shows the VirusTotal results for the sample (malware2.bin), which is a ZxShell Backdoor
  • 18. After executing the ZxShell Backdoor in the sandbox, the malware makes DNS queries to below malicious domains and connect to it on port 443
  • 19.  http://about-threats.trendmicro.com/RelatedThreats.aspx?language=au&name=Watering+Hole+101  http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog- actor-compromises-us-veterans-of-foreign-wars-website.html  http://www.securityweek.com/new-ie-10-zero-day-used-watering-hole-attack-targeting-us-military  http://blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/