The document describes a watering hole attack campaign that targeted military websites. It used a zero-day exploit in Internet Explorer 10 along with a malicious Flash file to download an image file containing hidden payload data. This payload contained two malware files - a DLL and a ZxShell backdoor executable. The backdoor made DNS queries to malicious domains and attempted to connect on port 443. The content is provided without warranty and solely represents the author's views.

1. Monnappa K A

2. The Content, Demonstration, Source Code and Programs
presented here is "AS IS" without any warranty or conditions
of any kind. Also the views/ideas/knowledge expressed here are
solely of the mine and nothing to do with the company or the
organization in which I am currently working.
However in no circumstances neither I or Cysinfo is
responsible for any damage or loss caused due to use or misuse
of the information presented here

3.  Watering Hole Attack
 Watering Hole Targeted Campaign
 Demo - Analysis of Watering Hole Campaign
 References

4. Monnappa
 Member of Cysinfo
 Info Security Investigator @ Cisco
 Reverse Engineering, Malware Analysis, Memory Forensics
 Email: monnappa22@gmail.com
 Twitter: @monnappa22
 Linkedin: http://in.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8

5. Image taken from: http://about-threats.trendmicro.com/RelatedThreats.aspx?language=au&name=Watering+Hole+101

6.  Targeted attack posted by FireEye
http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-
compromises-us-veterans-of-foreign-wars-website.html

8. The malicious html file checks for the presence of IE 10 with adobe flash. If the browser is IE 10 with flash installed then
it loads a malicious flash file (Tope.swf)

9. Flash triggers the exploit and downloads an image file (.jpg)

10. The image file downloaded is not a JPEG file (even though the extension is .jpg) but a PNG file, the below screenshot
shows the file header which confirms its be a PNG file

11. The below screenshot shows the image file that was used in the attack.

12. The end of the PNG file contains additional data, this embedded data is the xor encoded (with key 0x95) payload
starting at offset 0x8de1 (36321)

13. Simple script to extract and decode the additional content starting at offset 0x8de1 (36321).

14. Decoded content contains two embedded PE files. The below screenshot show the presence of first PE file at offset
0xc (12)

15. The below screenshot show the presence of second PE file at offset 0xA40C (41996)

16. Below snippet of code extracts the two PE files starting at offset 0xc (12) and 0xA40C (41996) and saves it to files
"malware1.bin" and "malware2.bin" respectively.

17. The first extracted PE file is a DLL and the Second PE file is a an EXE file (which is ZXShell
backdoor) as shown below.

18. Below screenshot shows the VirusTotal results for the sample (malware2.bin), which is a ZxShell
Backdoor

19. After executing the ZxShell Backdoor in the sandbox, the malware makes DNS queries to below
malicious domains and connect to it on port 443

20.  http://about-threats.trendmicro.com/RelatedThreats.aspx?language=au&name=Watering+Hole+101
 http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-
actor-compromises-us-veterans-of-foreign-wars-website.html
 http://www.securityweek.com/new-ie-10-zero-day-used-watering-hole-attack-targeting-us-military
 http://blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/