朝長 秀誠 (Shusei Tomonaga)

朝長 秀誠 (Shusei Tomonaga)

Recent Cases of Watering Hole Attacks, Part 1

Nowadays, many people probably recognize exploit of vulnerabilities in publicly exposed assets such as VPN and firewalls as the attack vector. In fact, many security incidents reported to JPCERT/CC also involve such devices. This is because vulnerabilities in VPN devices are exploited not only by APT groups but also by many other groups such as ransomware actors and cyber crime actors, and the number of incidents is high accordingly. As the number of security incidents arising from these specific attack vectors increases, on the other hand, people tend to forget about countermeasures for other attack vectors. Attackers use a variety of methods to conduct attacks, including email, websites, and social networking services. Figure 1 shows a timeline of security incidents related to targeted attacks that JPCERT/CC has confirmed.

Targeted attacks confirmed by JPCERT/CC between 2023 and 2024
Figure 1: Targeted attacks confirmed by JPCERT/CC between 2023 and 2024

As you can see from this figure, there are many methods used for penetrating networks. In this article, we will introduce two cases of watering hole attacks in Japan that received little attention in recent years. We hope that you will find these security incidents useful when planning your security measures. Part 1 covers a case in which the website of a university research laboratory was exploited in 2023.

Flow of the attack

Figure 2 shows the flow of the watering hole attack. When a user accesses a tampered website, a fake Adobe Flash Player update screen is displayed, and if the user downloads and executes the file as instructed, their computer becomes infected with malware.

Flow of the attack
Figure 2: Flow of the attack

The infected website has JavaScript embedded, as shown in Figure 3, and when the user accesses the site, a Japanese pop-up message is displayed.

Malicious code embedded in the tampered website
Figure 3: Malicious code embedded in the tampered website

One of the characteristics of this watering hole attack is that it did not exploit vulnerabilities for malware infection but used a social engineering technique to trick users who accessed the site into downloading and executing the malware by themselves.

Malware used in the attack

FlashUpdateInstall.exe, the malware downloaded in this attack, displays a decoy document as shown in Figure 4, and has the function to create and execute the core malware (system32.dll). The decoy document is a text file, and it contains a string of text indicating that the update of Adobe Flash Player was successful.

Example of malware code
Figure 4: Example of malware code

The created system32.dll is injected into the Explorer process (Early Bird Injection). This DLL file was distinctive as it had been tampered by Cobalt Strike Beacon (version 4.5) to have a watermark of 666666. For detailed configuration information on Cobalt Strike, please see Appendix D.

Examples of attacks by the same group

The attack group involved in this watering hole attack is unknown. The C2 server was hosted on Cloudflare Workers, Cloudflare’s edge serverless service. In addition, we have confirmed that the same attacker is conducting other attacks. Figure 5 shows the behavior of other types of malware confirmed through our investigation of C2 servers.

Malware possibly used by the same attacker
Figure 5: Malware possibly used by the same attacker

Look at Figure 5. In the first example, the attacker disguised the file name as a file from the Ministry of Economy, Trade and Industry, and a document released by the Ministry was used as a decoy. In addition, the malware (Tips.exe) used in the second example had the feature to allow options to be specified on execution. Options that can be specified are as follows.

  • --is_ready: Setup mode
  • --sk: Disable anti-analysis function
  • --doc_path: Folder to save decoy documents
  • --parent_id: Process ID of the malware
  • --parent_path: Execution path of the malware
  • --auto: Malware execution mode
"C:\Users\Public\Downloads\Tips.exe" --is_ready=1 --sk=0 --doc_path='[current_path]' --parent_id=[pid] --parent_path='[malware_file]'

This sample used a rarely seen technique: using EnumWindows and EnumUILanguages functions when executing the DLL file.

DLL injection technique
Figure 6: DLL injection technique

Furthermore, the malware can stop antivirus software (process name: avp.exe) and has a function to detect the following as an anti-analysis function.

  • Whether there are more than 40 processes
  • Whether the memory size is larger than 0x200000000 (approx. 8G)
  • Whether any of the following are included in the physical drive name
    • VBOX
    • Microsoft Virtual Disk
    • VMWare

In Closing

We hope this article will be helpful for you to consider your security measures. In Part 2, we will continue to introduce cases of watering hole attacks.

Kota Kino, Shusei tomonaga

(Translated by Takumi Nakano)

Appendix A:C2 servers

  • www.mcasprod.com
  • patient-flower-ccef.nifttymailcom.workers.dev
  • patient-flower-cdf.nifttymailcom.workers.dev

Appendix B:Malware hash value

Jack Viewer

  • 791c28f482358c952ff860805eaefc11fd57d0bf21ec7df1b9781c7e7d995ba3
  • a0224574ed356282a7f0f2cac316a7a888d432117e37390339b73ba518ba5d88

Cobalt Strike 4.5

  • 7b334fce8e3119c2807c63fcc7c7dc862534f38bb063b44fef557c02a10fdda1

Decoy File

  • 284431674a187a4f5696c228ce8575cbd40a3dc21ac905083e813d7ba0eb2f08
  • df0ba6420142fc09579002e461b60224dd7d6d159b0f759c66ea432b1430186d

Infected Website

  • 3bf1e683e0b6050292d13be44812aafa2aa42fdb9840fb8c1a0e4424d4a11e21
  • f8ba95995d772f8c4c0ffcffc710499c4d354204da5fa553fd33cf1c5f0f6edb

Appendix C:PDB

  • C:\Users\jack\viewer\bin\viewer.pdb

Appendix D:Cobalt Strike Config

dns                            False
ssl                            True
port                           443
.sleeptime                     45000
.http-get.server.output        0000000400000001000005f200000002000000540000000200000f5b0000000d0000000f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
.jitter                        37
publickey                      30819f300d06092a864886f70d010101050003818d0030818902818100daca3d111909f81f4a40d3b0648bb079f2d89b3d579016fe4da97055d2975bf4d633de34346e82948450a222eb92102fe866fd6b5ec2f633c032c124aa5824bee30825fa6ac2d9abef369280076174ee12caa72bbacab906b80c29e89f82380f5e8c45a287c6874b58cc0d1d28332c92de35e21ad4817667bd10b997b345f985020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
.http-get.uri                  patient-flower-ccef.nifttymailcom.workers.dev,/jquery-3.3.1.min.js
67                             0
68                             4294967295
69                             4294967295
70                             4294967295
.spawto
.post-ex.spawnto_x86           %windir%\syswow64\dllhost.exe
.post-ex.spawnto_x64           %windir%\sysnative\dllhost.exe
.cryptoscheme                  0
.http-get.verb                 GET
.http-post.verb                POST
shouldChunkPosts               0
.watermark                     666666
36                             MYhXSMGVvcr7PtOTMdABvA==
.stage.cleanup                 1
CFGCaution                     0
71                             0
72                             0
73                             0
.user-agent                    Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
.http-post.uri                 /jquery-3.3.2.min.js
.http-get.client
   GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
   #Referer: http://cdn.nifttymail.com/
       __cfduid=      Cookieate
.http-post.client
   GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
   #Referer: http://cdn.nifttymail.com/
    __cfduid            deflate          
host_header                    Host: patient-flower-ccef.nifttymailcom.workers.dev

cookieBeacon                   1
.proxy_type                    2
58                             0005800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
57                             0005800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
funk                           0
killdate                       0
text_section                   1

Author

朝長 秀誠 (Shusei Tomonaga)

朝長 秀誠 (Shusei Tomonaga)

Since December 2012, he has been engaged in malware analysis and forensics investigation, and is especially involved in analyzing incidents of targeted attacks. Prior to joining JPCERT/CC, he was engaged in security monitoring and analysis operations at a foreign-affiliated IT vendor. He presented at CODE BLUE, BsidesLV, BlackHat USA Arsenal, Botconf, PacSec and FIRST Conference. JSAC organizer.

Back
Top