Pierluigi Paganini
May 27, 2013
Watering Hole attacks increase in a meaningful way in the last years following a scaring trend, the technique is based on infection of website’s visitors, typically attackers use to compromise legitimate websites with a “drive-by” exploit.
Watering Hole technique has been observed since 2009 when civil society organizations were attacked with this method and used as a channel to deliver 0-day exploits to specific targets.
The techniques results ideal for the impairment of selected targets, individuals or limited communities, that search for specific contents proposed by website used to deliver malicious code.
Efficiency of Watering Hole attacks increase with the use made by attackers of zero-day exploits that affect victim’s software, in this case victims has no way to protect their systems from the malware diffusion.
Once a victim visits the page on the compromised website a backdoor trojan is installed on his computer, Watering Hole method of attacks is very common for cyber espionage operation or state sponsored attacks. Governments are the primary buyers for zero-day exploits that are used to exploit victim’s machine remaining uncovered for long periods, the capability to remain silent during the time is determinant for the success of the attack.
A recent post published by Dancho Danchev revealed that a Compromised Indian government Web site leads to Black Hole Exploit Kit, the researchers at Webroot firm detected the infection interested the web site of the Ministry of Micro And Medium Enterprises (MSME DI Jaipur).
The researchers tried to profile the campaign discovering that the Black Hole Exploit Kit serving URL was used for other previous client-side exploit serving campaigns, in 2012 the same IP was also seen in fact during a malvertising campaign.
The researchers provided in the post the list of malicious domain name used for the attack and sample of compromised URLs, following the details of the investigation.
Sample compromised URLs: hxxp://sisijaipur.gov.in/cluster_developement.html hxxp://msmedijaipur.gov.in/cluster_developement.html
Malicious domain names/redirectors reconnaissance: 888-move-stuff.com – 50.63.202.21 – Email: [email protected] 888movestuff.com – 208.109.181.190 – Email: [email protected] jobbelts.com (redirector/C&C) – 98.124.198.1 – Email: [email protected]
More malicious domains are known to have been responding to the same IP in the past (98.124.198.1): adventure-holiday-specials.com appraisingla.com arc-res.com a-to-z-of-barbados.com bookmarkingdemonx.com ceointerns.com charityairsupport.org csepros.com dominateseowithwordpress.com enum365.com jobbelts.com karenbrowntx.com rankbuilder2.net seopressors.org stopchasingmoney.com thefamily4life.org ventergy.com
To have an idea of the efficiency of the malware used by attackers, known as Trojan:JS/BlacoleRef.W; Trojan-Downloader.JS.Iframe.czf having MD5 equal to 44a8c0b8d281f17b7218a0fe09840ce9, it is useful to evaluate the detection rate for the malware that is 24 out of 27 antivirus. Despite the The Black Hole Exploit Kit redirecting URL that compromised the Indian government Web site is currently not accepting any connections, the security experts at Webroot noted that it was working on 2012-07-03 08:04:36 delivering malicious content.
The Sample redirection chain discovered by the researcher is
Once exploited the client application on the victim’s machine it is dropped the Trojan-Ransom.Win32.Birele.vjr, aka PWS:Win32/Fareit.gen!C and then additional malware are downloaded from:
hxxp://euxtoncorinthiansfc.co.uk/pd.exe
hxxp://euxtoncorinthiansfc.co.uk/1689.exe
Attacks like this one are becoming very popular, early 2013 Solutionary’s Security Engineering Research Team published an interesting study that revealed the rise of exploit kits mainly originated in Russia.
BlackHole 2.0 is considered most popular and pervasive exploit kit despite it exploits fewer vulnerabilities than other kits do. Over 18% of the malware instance detected were directly attributed to The BlackHole exploit kit that is a web application that exploit known vulnerabilities in most popular applications, frameworks and browsers such as Adobe Reader, Adobe Flash and Java.
Watering Hole is much more efficient if compared to a spear phishing attack in which the success of the operation depend on the recipient clicking the link or opening an attachment. There’s an high probability that victim discard the malicious email, even if malware is able to elude antivirus detection due the presence of a zero-day exploit. Watering Hole allows to overcome this difficulty compromising and infect a website victim is likely to visit.
What to expect from the future?
Security experts have no doubts, the number of watering hole attacks is destined grow in the next months due the large diffusion of exploit kits in the black market and despite the impairment of a target website is much more difficult of other methods of attack.
Pierluigi Paganini
(Security Affairs – Watering Hole attack)
