Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14

•Download as PPTX, PDF•

2 likes•1,856 views

Presented by Monnappa in our quarterly system security meet. visit: http://www.securitytrainings.net for more information.

Technology News & Politics

The Content, Demonstration, Source Code and Programs
presented here is "AS IS" without any warranty or conditions
of any kind. Also the views/ideas/knowledge expressed here are
solely of the mine and nothing to do with the company or the
organization in which I am currently working.
However in no circumstances neither I or SecurityXploded is
responsible for any damage or loss caused due to use or misuse
of the information presented here

 Watering Hole Attack
 Watering Hole Targeted Campaign
 Demo - Analysis of Watering Hole Campaign
 References

Monnappa
 Member of SecurityXploded
 Info Security Investigator @ Cisco
 Reverse Engineering, Malware Analysis, Memory Forensics
 Email: monnappa22@gmail.com
 Twitter: @monnappa22
 Linkedin: http://in.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8

Image taken from: http://about-threats.trendmicro.com/RelatedThreats.aspx?language=au&name=Watering+Hole+101

 Targeted attack posted by FireEye
http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-
compromises-us-veterans-of-foreign-wars-website.html

The malicious html file checks for the presence of IE 10 with adobe flash. If the browser is IE 10 with flash installed then
it loads a malicious flash file (Tope.swf)

Flash triggers the exploit and downloads an image file (.jpg)

The image file downloaded is not a JPEG file (even though the extension is .jpg) but a PNG file, the below screenshot
shows the file header which confirms its be a PNG file

The below screenshot shows the image file that was used in the attack.

The end of the PNG file contains additional data, this embedded data is the xor encoded (with key 0x95) payload
starting at offset 0x8de1 (36321)

Simple script to extract and decode the additional content starting at offset 0x8de1 (36321).

Decoded content contains two embedded PE files. The below screenshot show the presence of first PE file at offset
0xc (12)

The below screenshot show the presence of second PE file at offset 0xA40C (41996)

Below snippet of code extracts the two PE files starting at offset 0xc (12) and 0xA40C (41996) and saves it to files
"malware1.bin" and "malware2.bin" respectively.

The first extracted PE file is a DLL and the Second PE file is a an EXE file (which is ZXShell
backdoor) as shown below.

Below screenshot shows the VirusTotal results for the sample (malware2.bin), which is a ZxShell
Backdoor

After executing the ZxShell Backdoor in the sandbox, the malware makes DNS queries to below
malicious domains and connect to it on port 443

 http://about-threats.trendmicro.com/RelatedThreats.aspx?language=au&name=Watering+Hole+101
 http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-
actor-compromises-us-veterans-of-foreign-wars-website.html
 http://www.securityweek.com/new-ie-10-zero-day-used-watering-hole-attack-targeting-us-military
 http://blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/

Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14

What's hot

Return address

Cysinfo Cyber Security Community

Return Address – The Silver Bullet

securityxploded

Basic malware analysis

Cysinfo Cyber Security Community

Advanced malware analysis training session1 detection and removal of malwares

Cysinfo Cyber Security Community

Hunting rootkit from dark corners of memory

Cysinfo Cyber Security Community

Advanced malware analysis training session10 part1

Cysinfo Cyber Security Community

Investigating Malware using Memory Forensics

Cysinfo Cyber Security Community

Reversing malware analysis training part10 exploit development basics

Cysinfo Cyber Security Community

Automating malware analysis

Cysinfo Cyber Security Community

Defeating public exploit protections (EMET v5.2 and more)

securityxploded

Advanced malware analysis training session3 botnet analysis part2

Cysinfo Cyber Security Community

Dissecting BetaBot

securityxploded

Hunting Rootkit From the Dark Corners Of Memory

securityxploded

Understanding CryptoLocker (Ransomware) with a Case Study

securityxploded

Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares

securityxploded

Advanced malware analysis training session8 introduction to android

Cysinfo Cyber Security Community

Reversing malware analysis training part1 lab setup guide

Cysinfo Cyber Security Community

RSA Monthly Online Fraud Report -- June 2014

EMC

Advanced malwareanalysis training session2 botnet analysis part1

Cysinfo Cyber Security Community

Anatomy of Exploit Kits

securityxploded

What's hot (20)

Return address

Return Address – The Silver Bullet

Basic malware analysis

Advanced malware analysis training session1 detection and removal of malwares

Hunting rootkit from dark corners of memory

Advanced malware analysis training session10 part1

Investigating Malware using Memory Forensics

Reversing malware analysis training part10 exploit development basics

Automating malware analysis

Defeating public exploit protections (EMET v5.2 and more)

Advanced malware analysis training session3 botnet analysis part2

Dissecting BetaBot

Hunting Rootkit From the Dark Corners Of Memory

Understanding CryptoLocker (Ransomware) with a Case Study

Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares

Advanced malware analysis training session8 introduction to android

Reversing malware analysis training part1 lab setup guide

RSA Monthly Online Fraud Report -- June 2014

Advanced malwareanalysis training session2 botnet analysis part1

Anatomy of Exploit Kits

Similar to Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14

Reversing and decrypting the communications of HeartBeat Rat - Part1

n|u - The Open Security Community

Reversing malware analysis trainingpart9 advanced malware analysis

Cysinfo Cyber Security Community

Reversing & malware analysis training part 9 advanced malware analysisAbdulrahman Bassam

Advanced malware analysis training session 7 malware memory forensics

Cysinfo Cyber Security Community

Basic malware analysis

securityxploded

Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis

securityxploded

Advanced Malware Analysis Training Session 7 - Malware Memory Forensics

securityxploded

Dissecting the heart beat apt rat functionalities - Part 2

n|u - The Open Security Community

What I wish I knew about security - Allon Mureinik DevConf.CZ 2022

Allon Mureinik

Eighteen years into my career, I decided to pivot and move from infrastructure-related work to the world of application security. If there’s one thing I’ve learned in the three years of working in application security is that it’s a funny business. Our entire business model is based on pointing out the mistakes of other programmers. In this talk, I want to shoot myself in the foot and share some concepts that could help eliminate a lot of those mistakes, and reduce my job to snuffing out the more interesting mistakes.

Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...

securityxploded

Reversing & malware analysis training part 1 lab setup guide

securityxploded

Reversing & malware analysis training part 3 windows pe file format basicsAbdulrahman Bassam

Reversing & malware analysis training part 12 rootkit analysisAbdulrahman Bassam

Reversing & malware analysis training part 8 malware memory forensicsAbdulrahman Bassam

Ransomware for fun and non-profit

Youness Zougar

Andsec Reversing on Mach-o File

Ricardo L0gan

Part of this presentation is based on research published in 2015, which was demonstrated the increasing spread of malware binaries mach-o and how to analyze the type of these binary. In this presentation, we will explain with more detail the structure of Binary using debuggers tools and reverse engineering techniques.The knowledge gained will be useful from analysis of malware as also for challenges type crackmes on CTFs.

Reversing malware analysis training part3 windows pefile formatbasics

Cysinfo Cyber Security Community

Reversing & malware analysis training part 10 exploit development basicsAbdulrahman Bassam

Crisis. advanced malwareYury Chemerkin

Wrath of Ransomware_Longinus TimochencoLonginus Timochenco

Similar to Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14 (20)

Reversing and decrypting the communications of HeartBeat Rat - Part1

Reversing malware analysis trainingpart9 advanced malware analysis

Reversing & malware analysis training part 9 advanced malware analysis

Advanced malware analysis training session 7 malware memory forensics

Basic malware analysis

Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis

Advanced Malware Analysis Training Session 7 - Malware Memory Forensics

Dissecting the heart beat apt rat functionalities - Part 2

What I wish I knew about security - Allon Mureinik DevConf.CZ 2022

Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...

Reversing & malware analysis training part 1 lab setup guide

Reversing & malware analysis training part 3 windows pe file format basics

Reversing & malware analysis training part 12 rootkit analysis

Reversing & malware analysis training part 8 malware memory forensics

Ransomware for fun and non-profit

Andsec Reversing on Mach-o File

Reversing malware analysis training part3 windows pefile formatbasics

Reversing & malware analysis training part 10 exploit development basics

Crisis. advanced malware

Wrath of Ransomware_Longinus Timochenco

Recently uploaded

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

BookNet Canada

The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more. Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/ Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.

Pushing the limits of ePRTC: 100ns holdover for 100 days

Adtran

The Future of Platform Engineering

Jemma Hussein Allen

PHP Frameworks: I want to break free (IPC Berlin 2024)

Ralf Eggert

In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development. This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.

Securing your Kubernetes cluster_ a step-by-step guide to success !

KatiaHIMEUR1

Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster. However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks. In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.

Leading Change strategies and insights for effective change management pdf 1.pdf

OnBoard

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...

Sri Ambati

Introduction to CHERI technology - Cybersecurity

mikeeftimakis1

Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™

UiPathCommunity

In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni. 📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath: Autopilot per Studio Web Autopilot per Studio Autopilot per Apps Clipboard AI GenAI applicata alla Document Understanding 👨‍🏫👨‍💻 Speakers: Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath Andrei Tasca, RPA Solutions Team Lead @NTT Data

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf

FIDO Alliance

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...

UiPathCommunity

💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™: See how to accelerate model training and optimize model performance with active learning Learn about the latest enhancements to out-of-the-box document processing – with little to no training required Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath. Speakers: 👨‍🏫 Andras Palfi, Senior Product Manager, UiPath 👩‍🏫 Lenka Dulovicova, Product Program Manager, UiPath

Free Complete Python - A step towards Data Science

RinaMondal9

Elizabeth Buie - Older adults: Are we really designing for our future selves?

Nexer Digital

SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf

Peter Spielvogel

Building better applications for business users with SAP Fiori. • What is SAP Fiori and why it matters to you • How a better user experience drives measurable business benefits • How to get started with SAP Fiori today • How SAP Fiori elements accelerates application development • How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities • How SAP Fiori paves the way for using AI in SAP apps

A tale of scale & speed: How the US Navy is enabling software delivery from l...

sonjaschweigert1

Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved: - Reduction in onboarding time from 5 weeks to 1 day - Improved developer experience and productivity through actionable findings and reduction of false positives - Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO) Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production. We will cover: - How to remove silos in DevSecOps - How to build efficient development pipeline roles and component templates - How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence) - How to streamline operations with automated policy checks on container images

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

FIDO Alliance

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf

91mobiles

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

FIDO Alliance

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

James Anderson

Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management. The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM). Speakers: Bob Boule Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle. Gopinath Rebala Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.

By Design, not by Accident - Agile Venture Bolzano 2024

Pierluigi Pugliese

Recently uploaded (20)

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

Pushing the limits of ePRTC: 100ns holdover for 100 days

The Future of Platform Engineering

PHP Frameworks: I want to break free (IPC Berlin 2024)

Securing your Kubernetes cluster_ a step-by-step guide to success !

Leading Change strategies and insights for effective change management pdf 1.pdf

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...

Introduction to CHERI technology - Cybersecurity

Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...

Free Complete Python - A step towards Data Science

Elizabeth Buie - Older adults: Are we really designing for our future selves?

SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf

A tale of scale & speed: How the US Navy is enabling software delivery from l...

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

By Design, not by Accident - Agile Venture Bolzano 2024

Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14

1. Monnappa K A

2. The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the mine and nothing to do with the company or the organization in which I am currently working. However in no circumstances neither I or SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here

3.  Watering Hole Attack  Watering Hole Targeted Campaign  Demo - Analysis of Watering Hole Campaign  References

4. Monnappa  Member of SecurityXploded  Info Security Investigator @ Cisco  Reverse Engineering, Malware Analysis, Memory Forensics  Email: monnappa22@gmail.com  Twitter: @monnappa22  Linkedin: http://in.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8

5. Image taken from: http://about-threats.trendmicro.com/RelatedThreats.aspx?language=au&name=Watering+Hole+101

6.  Targeted attack posted by FireEye http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor- compromises-us-veterans-of-foreign-wars-website.html

8. The malicious html file checks for the presence of IE 10 with adobe flash. If the browser is IE 10 with flash installed then it loads a malicious flash file (Tope.swf)

9. Flash triggers the exploit and downloads an image file (.jpg)

10. The image file downloaded is not a JPEG file (even though the extension is .jpg) but a PNG file, the below screenshot shows the file header which confirms its be a PNG file

11. The below screenshot shows the image file that was used in the attack.

12. The end of the PNG file contains additional data, this embedded data is the xor encoded (with key 0x95) payload starting at offset 0x8de1 (36321)

13. Simple script to extract and decode the additional content starting at offset 0x8de1 (36321).

14. Decoded content contains two embedded PE files. The below screenshot show the presence of first PE file at offset 0xc (12)

15. The below screenshot show the presence of second PE file at offset 0xA40C (41996)

16. Below snippet of code extracts the two PE files starting at offset 0xc (12) and 0xA40C (41996) and saves it to files "malware1.bin" and "malware2.bin" respectively.

17. The first extracted PE file is a DLL and the Second PE file is a an EXE file (which is ZXShell backdoor) as shown below.

18. Below screenshot shows the VirusTotal results for the sample (malware2.bin), which is a ZxShell Backdoor

19. After executing the ZxShell Backdoor in the sandbox, the malware makes DNS queries to below malicious domains and connect to it on port 443

20.  http://about-threats.trendmicro.com/RelatedThreats.aspx?language=au&name=Watering+Hole+101  http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog- actor-compromises-us-veterans-of-foreign-wars-website.html  http://www.securityweek.com/new-ie-10-zero-day-used-watering-hole-attack-targeting-us-military  http://blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/

Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14

Similar to Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14 (20)

More from securityxploded

More from securityxploded (18)

Recently uploaded

Recently uploaded (20)

Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14