Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14
-
Upload
securityxploded -
Category
Technology
-
view
539 -
download
0
description
Transcript of Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14
![Page 1: Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14](https://reader033.fdocuments.net/reader033/viewer/2022052618/554bdd95b4c905706a8b5685/html5/thumbnails/1.jpg)
Watering Hole Attacks, case study and analysis
Monnappa K A
![Page 2: Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14](https://reader033.fdocuments.net/reader033/viewer/2022052618/554bdd95b4c905706a8b5685/html5/thumbnails/2.jpg)
Disclaimer
The Content, Demonstration, Source Code and Programs
presented here is "AS IS" without any warranty or conditions
of any kind. Also the views/ideas/knowledge expressed here are
solely of the mine and nothing to do with the company or the
organization in which I am currently working.
However in no circumstances neither I or SecurityXploded is
responsible for any damage or loss caused due to use or misuse
of the information presented here
![Page 3: Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14](https://reader033.fdocuments.net/reader033/viewer/2022052618/554bdd95b4c905706a8b5685/html5/thumbnails/3.jpg)
Watering Hole Attack
Watering Hole Targeted Campaign
Demo - Analysis of Watering Hole Campaign
References
Contents
![Page 4: Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14](https://reader033.fdocuments.net/reader033/viewer/2022052618/554bdd95b4c905706a8b5685/html5/thumbnails/4.jpg)
Who AM I
Monnappa Member of SecurityXploded Info Security Investigator @ Cisco Reverse Engineering, Malware Analysis, Memory Forensics Email: [email protected] Twitter: @monnappa22 Linkedin: http://in.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8
![Page 5: Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14](https://reader033.fdocuments.net/reader033/viewer/2022052618/554bdd95b4c905706a8b5685/html5/thumbnails/5.jpg)
Watering Hole Attack
Image taken from: http://about-threats.trendmicro.com/RelatedThreats.aspx?language=au&name=Watering+Hole+101
![Page 6: Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14](https://reader033.fdocuments.net/reader033/viewer/2022052618/554bdd95b4c905706a8b5685/html5/thumbnails/6.jpg)
Targeted attack posted by FireEyehttp://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html
Watering Hole Targeted Campaign
![Page 7: Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14](https://reader033.fdocuments.net/reader033/viewer/2022052618/554bdd95b4c905706a8b5685/html5/thumbnails/7.jpg)
Demo
Analysis of Watering Hole Campaign
![Page 8: Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14](https://reader033.fdocuments.net/reader033/viewer/2022052618/554bdd95b4c905706a8b5685/html5/thumbnails/8.jpg)
Exploit LoaderThe malicious html file checks for the presence of IE 10 with adobe flash. If the browser is IE 10 with flash installed then it loads a malicious flash file (Tope.swf)
![Page 9: Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14](https://reader033.fdocuments.net/reader033/viewer/2022052618/554bdd95b4c905706a8b5685/html5/thumbnails/9.jpg)
Malicious Flash ObjectFlash triggers the exploit and downloads an image file (.jpg)
![Page 10: Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14](https://reader033.fdocuments.net/reader033/viewer/2022052618/554bdd95b4c905706a8b5685/html5/thumbnails/10.jpg)
Image file is a png file
The image file downloaded is not a JPEG file (even though the extension is .jpg) but a PNG file, the below screenshot shows the file header which confirms its be a PNG file
![Page 11: Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14](https://reader033.fdocuments.net/reader033/viewer/2022052618/554bdd95b4c905706a8b5685/html5/thumbnails/11.jpg)
Image file used in the attackThe below screenshot shows the image file that was used in the attack.
![Page 12: Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14](https://reader033.fdocuments.net/reader033/viewer/2022052618/554bdd95b4c905706a8b5685/html5/thumbnails/12.jpg)
Image file contains additional data
The end of the PNG file contains additional data, this embedded data is the xor encoded (with key 0x95) payload starting at offset 0x8de1 (36321)
![Page 13: Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14](https://reader033.fdocuments.net/reader033/viewer/2022052618/554bdd95b4c905706a8b5685/html5/thumbnails/13.jpg)
Script to extract and decode content
Simple script to extract and decode the additional content starting at offset 0x8de1 (36321).
![Page 14: Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14](https://reader033.fdocuments.net/reader033/viewer/2022052618/554bdd95b4c905706a8b5685/html5/thumbnails/14.jpg)
First PE file in Decoded content
Decoded content contains two embedded PE files. The below screenshot show the presence of first PE file at offset 0xc (12)
![Page 15: Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14](https://reader033.fdocuments.net/reader033/viewer/2022052618/554bdd95b4c905706a8b5685/html5/thumbnails/15.jpg)
Second PE file in Decoded content
The below screenshot show the presence of second PE file at offset 0xA40C (41996)
![Page 16: Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14](https://reader033.fdocuments.net/reader033/viewer/2022052618/554bdd95b4c905706a8b5685/html5/thumbnails/16.jpg)
Script to extract PE files
Below snippet of code extracts the two PE files starting at offset 0xc (12) and 0xA40C (41996) and saves it to files "malware1.bin" and "malware2.bin" respectively.
![Page 17: Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14](https://reader033.fdocuments.net/reader033/viewer/2022052618/554bdd95b4c905706a8b5685/html5/thumbnails/17.jpg)
Extracted PE files
The first extracted PE file is a DLL and the Second PE file is a an EXE file (which is ZXShell backdoor) as shown below.
![Page 18: Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14](https://reader033.fdocuments.net/reader033/viewer/2022052618/554bdd95b4c905706a8b5685/html5/thumbnails/18.jpg)
ZxShell Backdoor
Below screenshot shows the VirusTotal results for the sample (malware2.bin), which is a ZxShell Backdoor
![Page 19: Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14](https://reader033.fdocuments.net/reader033/viewer/2022052618/554bdd95b4c905706a8b5685/html5/thumbnails/19.jpg)
Network traffic of ZxShell Backdoor
After executing the ZxShell Backdoor in the sandbox, the malware makes DNS queries to below malicious domains and connect to it on port 443
![Page 20: Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14](https://reader033.fdocuments.net/reader033/viewer/2022052618/554bdd95b4c905706a8b5685/html5/thumbnails/20.jpg)
http://about-threats.trendmicro.com/RelatedThreats.aspx?language=au&name=Watering+Hole+10
1
http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-
compromises-us-veterans-of-foreign-wars-website.html
http://www.securityweek.com/new-ie-10-zero-day-used-watering-hole-attack-targeting-us-military
http://blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/
References
![Page 21: Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14](https://reader033.fdocuments.net/reader033/viewer/2022052618/554bdd95b4c905706a8b5685/html5/thumbnails/21.jpg)
Question & Answer
![Page 22: Watering Hole Attacks Case Study and Analysis_SecurityXploded_Meet_june14](https://reader033.fdocuments.net/reader033/viewer/2022052618/554bdd95b4c905706a8b5685/html5/thumbnails/22.jpg)
Thank you