Watering hole attacks, where saboteurs infect websites of interest to their targets, are a “tried and true attack vector” that bad actors continue to revisit as evidenced by a Sept. 4 attack that put a Fortune 1000 company on alert, security researchers found.
Bromium Labs was contacted by the company, a customer, after one of its LAVA sensors had detected an attack aimed at “potential viewers of a technology start-up [website] in the oil and gas sector," the firm noted in a blog post.
The timing of the attack, days after the oil and gas company publicized “a sizable funding grant,” led researchers to believe that saboteurs anticipated “more traffic to the website and hoped to increase their chances of a successful infection.”
ONG companies are attractive targets to attackers keen on stealing IP and sensitive data. “This particular example took our attention as the attackers targeted the ONG tech start-up company days after they were in the news for having secured new funding for their technology,” Rahul Kashyap Chief Security Architect & Head of Security Research at Bromium, told SCMagazine.com in a Wednesday email correspondence. “Ultimately, the user who visited this site was someone in a U.S. Fortune 1000 manufacturing company who was viewing this company after the announcement. This shows a classic end-to-end scenario of how such attacks proliferate organizations.”
What Bromium found was malware that leveraged the CVE-2013-7331 vulnerability, which at that time was unpatched and had already been exploited in the wild by various exploit kits.
“The trojan dropped was fairly sophisticated. It had obfuscation, anti-debugging, vm-detection, used an unpatched IE vulnerability (CVE-2013-7331) and some classic social engineering tricks,” said Kashyap. “The dropped malware was a tool for installing other malicious programs on the infected system.” Its authors, he said, “could sell the infected systems as a 'vacant spot' for further malware installs.”
The script on the compromised web server leveraged the XMLDOM vulnerability to look for Kaspersky and Trend Micro drivers on the victim's computer. Bromium researchers theorize that the attackers had tested the malware with those engines and were aware that they could detect it. What followed was a series of redirects. One cookie-based redirect modified .JS files; another led to plain iframe and a third hijacked “onmouseover and onhover events of the page DOM.”
An iframe first points at google.com but later the malicious URL overwrites its property. A popup_open function determines whether “the page referrer is in the blacklist,” which in this attack was empty. The victim is then directed to a drive-by-download page, where a version of the Sweet Orange exploit pack is hosted.
Furthermore, the malware disguises the dropped trojan as the Window folder, which Bromium said was likely to “evade most people at first glance.” The dropper, written in VB5, uses a common method of obfuscation, creating an instance of itself then modifying the code section. The self-contained payload doesn't depend on important functions but rather “resolves process names on the fly using the hash technique.”
The payload de-obfuscates in stages. And the trojan won't run if it finds certain processes on the system—Bromium attempted to determine the names of the processes, which are presented only as hash values, but could only identify two of them—Wireshark and Process Monitor. The malware also calls GetModuleHandleA in an attempt “to fingerprint if the victim is running inside Sandboxie.”
And it looks for virtualization software artifacts by querying values stored in HKLMSYSTEMCurrentControlSet. Storing malicious code on the tk key “is an attempt to evade security software,” said Kashyap. While most malware developers test products before release, he said, the “black market has several services analogous to VirusTotal but …totally anonymous. So that might indicate that the registry is a blind spot for some AV or HIPS.”
Noting that the methods used “are not the smartest ones,” Bromium researchers emphasized that “they do great job evading automated analysis tools. Malicious activity doesn't show up “in the presence of some monitoring tools,” the Bromium blog said, making dynamic analysis by itself “not very useful in this case.”
The important feature in this case, was “its ability to elude automated analysis environments and sandboxes in order to stay away from AV labs,” which it does by identifying artifacts of several virtualization platforms and monitoring tools usually deployed in these platforms,” said Kashyap.