Think Information. Think Security.
The term “Watering Hole” has become a popular way to describe targeted malware attacks in which the attackers compromise a legitimate website and insert a “drive-by” exploit in order to compromise the website’s visitors. 
This technique has long been used by indiscriminate cybercriminal attacks as well as targeted malware attacks. 

While cybercriminals use “drive-by” exploits to indiscriminately compromise as many computers as they can, the use of this technique in relation to APT activity is what Shadowserver aptly described as “strategic web compromises”. The objective is to selectively target visitors interested in specific content. Such attacks often emerge in conjunction with a new drive-by exploit.

Recently, a zero-day exploit affecting Microsoft’s Internet Explorer was discovered on a server associated with the Nitro campaign – the same server that was recently used to serve a Java zero-day exploit. The payload (in both cases) was Poison Ivy. A second site hosting the Internet Explorer zero-day was soon discovered, however, the payload of that site was PlugX. In total, Security Intelligence have found at least 19 websites that contained the IE zero-day exploit. While it is difficult to determine with absolute certainty, at least some of these sites appear to be “watering hole” attacks.

In addition to the Nitro-related Poison Ivy as well as the PlugX RATs, there are some additional familiar RATs and some unfamiliar malware. One of the recognizable RATs, found as the payload of invitation.{BLOCKED}, is known as “DRAT” remote access Trojan, which is RAT developed by “Dark Security Team” and is widely available on the Internet. DRAT is a full featured RAT that gives the attackers full control of a compromised computer. This DRAT was configured to connect to {BLOCKED} ({BLOCKED}.{BLOCKED}.229.82).

Another interesting Trojan dropped by a compromise defense news website appears to be connected to the “Elderwood” attackers. The packer used in this case is the same packer used by the Hydraq Trojan, which is infamous for its role in the “Aurora” attacks on Google and 30 other companies. In addition, this Trojan (known as “Naid”) was also the payload of an exploit embedded in a compromised human rights group’s website in June 2012. In this case, a compromised defense related news site hosting the IE 0day exploit dropped the “Naid” Trojan, which connected to support.{BLOCKED} ({BLOCKED}.{BLOCKED}.170.163).

The use of the same 0day exploit by a diversity of threat actors within a short period of time may indicate that the exploit was shared or sold by its developers to multiple operators. Often, a 0day exploit is used by one particular campaign and trickles out to other threat actors, but, by that time a patch is available for the vulnerability. This distribution model used in this IE 0day is designed for maximum impact as a wide variety of operators are able conduct attacks against their own targets of interest while no patch is available for the vulnerability.

Cross-posted from: Trend Labs Security Intelligence

Leave a Reply.