Your SlideShare is downloading. ×
Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14


Published on

Presented by Monnappa in our quarterly system security meet. visit: for more information.

Presented by Monnappa in our quarterly system security meet. visit: for more information.

Published in: Technology, News & Politics

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Monnappa K A
  • 2. The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the mine and nothing to do with the company or the organization in which I am currently working. However in no circumstances neither I or SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here
  • 3.  Watering Hole Attack  Watering Hole Targeted Campaign  Demo - Analysis of Watering Hole Campaign  References
  • 4. Monnappa  Member of SecurityXploded  Info Security Investigator @ Cisco  Reverse Engineering, Malware Analysis, Memory Forensics  Email:  Twitter: @monnappa22  Linkedin:
  • 5. Image taken from:
  • 6.  Targeted attack posted by FireEye compromises-us-veterans-of-foreign-wars-website.html
  • 7. The malicious html file checks for the presence of IE 10 with adobe flash. If the browser is IE 10 with flash installed then it loads a malicious flash file (Tope.swf)
  • 8. Flash triggers the exploit and downloads an image file (.jpg)
  • 9. The image file downloaded is not a JPEG file (even though the extension is .jpg) but a PNG file, the below screenshot shows the file header which confirms its be a PNG file
  • 10. The below screenshot shows the image file that was used in the attack.
  • 11. The end of the PNG file contains additional data, this embedded data is the xor encoded (with key 0x95) payload starting at offset 0x8de1 (36321)
  • 12. Simple script to extract and decode the additional content starting at offset 0x8de1 (36321).
  • 13. Decoded content contains two embedded PE files. The below screenshot show the presence of first PE file at offset 0xc (12)
  • 14. The below screenshot show the presence of second PE file at offset 0xA40C (41996)
  • 15. Below snippet of code extracts the two PE files starting at offset 0xc (12) and 0xA40C (41996) and saves it to files "malware1.bin" and "malware2.bin" respectively.
  • 16. The first extracted PE file is a DLL and the Second PE file is a an EXE file (which is ZXShell backdoor) as shown below.
  • 17. Below screenshot shows the VirusTotal results for the sample (malware2.bin), which is a ZxShell Backdoor
  • 18. After executing the ZxShell Backdoor in the sandbox, the malware makes DNS queries to below malicious domains and connect to it on port 443
  • 19.   actor-compromises-us-veterans-of-foreign-wars-website.html  