Categories: Cyber warfareHacking

Watering hole attacks and exploit kits – Indian gov site case

Number of Watering hole attacks is increasing, most of them based on well known exploit kits. The case of compromised Indian gov Web site leads to BlackHole

Watering Hole attacks increase in a meaningful way in the last years following a scaring trend, the technique is based on infection of website’s visitors, typically attackers use to compromise legitimate websites with a “drive-by” exploit.

Watering Hole technique has been observed since 2009 when civil society organizations were attacked  with this method and used as a channel to deliver 0-day exploits to specific targets.

The techniques results ideal for the impairment of selected targets, individuals or limited communities, that search for specific contents proposed by website used to deliver malicious code.

Efficiency of Watering Hole attacks increase with the use made by attackers of zero-day exploits that affect victim’s software, in this case victims has no way to protect their systems from the malware diffusion.

Once a victim visits the page on the compromised website a backdoor trojan is installed on his computer, Watering Hole method of attacks is very common for cyber espionage operation or state sponsored attacks. Governments are the primary buyers for zero-day exploits that are used to exploit victim’s machine remaining uncovered for long periods, the capability to remain silent during the time is determinant for the success of the attack.

A recent post published by Dancho Danchev revealed that a Compromised Indian government Web site leads to Black Hole Exploit Kit, the researchers at Webroot firm detected the infection interested the web site of the Ministry of Micro And Medium Enterprises (MSME DI Jaipur).

The researchers tried to profile the campaign discovering that the Black Hole Exploit Kit serving URL was used for other previous client-side exploit serving campaigns, in 2012 the same IP was also seen in fact during a malvertising campaign.

The researchers provided in the post the list of malicious domain name used for the attack and sample of compromised URLs, following the details of the investigation.

Sample compromised URLs:
 hxxp://sisijaipur.gov.in/cluster_developement.html
 hxxp://msmedijaipur.gov.in/cluster_developement.html
Malicious domain names/redirectors reconnaissance:
 888-move-stuff.com – 50.63.202.21 – Email: van2move@yahoo.com
 888movestuff.com – 208.109.181.190 – Email: van2move@yahoo.com
 jobbelts.com (redirector/C&C) – 98.124.198.1 – 
 Email: aanelli@yahoo.com
More malicious domains are known to have been 
responding to the same IP in the past (98.124.198.1):
 adventure-holiday-specials.com
 appraisingla.com
 arc-res.com
 a-to-z-of-barbados.com
 bookmarkingdemonx.com
 ceointerns.com
 charityairsupport.org
 csepros.com
 dominateseowithwordpress.com
 enum365.com
 jobbelts.com
 karenbrowntx.com
 rankbuilder2.net
 seopressors.org
 stopchasingmoney.com
 thefamily4life.org
 ventergy.com

To have an idea of the efficiency of the malware used by attackers, known as Trojan:JS/BlacoleRef.W; Trojan-Downloader.JS.Iframe.czf having MD5 equal to 44a8c0b8d281f17b7218a0fe09840ce9, it is useful to evaluate the detection rate for the malware that is 24 out of 27 antivirus. Despite the The Black Hole Exploit Kit redirecting URL that compromised the Indian government Web site is currently not accepting any connections,  the security experts at Webroot noted that it was working on 2012-07-03 08:04:36 delivering malicious content.

The Sample redirection chain discovered by the researcher is

 

Once exploited the client application on the victim’s machine it is dropped the Trojan-Ransom.Win32.Birele.vjr, aka PWS:Win32/Fareit.gen!C and then additional malware are downloaded from:

hxxp://euxtoncorinthiansfc.co.uk/pd.exe
hxxp://euxtoncorinthiansfc.co.uk/1689.exe

Attacks like this one are becoming very popular, early 2013 Solutionary’s Security Engineering Research Team published an interesting study that revealed the rise of exploit kits mainly originated in Russia.

BlackHole 2.0 is considered most popular and pervasive exploit kit despite it exploits fewer vulnerabilities than other kits do. Over 18% of the malware instance detected were directly attributed to The BlackHole exploit kit that is a web application that exploit known vulnerabilities in most popular applications, frameworks and browsers such as Adobe Reader, Adobe Flash and Java.

Watering Hole is much more efficient if compared to a spear phishing attack in which the success of the operation depend on the recipient clicking the link or opening an attachment. There’s an high probability that victim discard the malicious email, even if malware is able to elude antivirus detection due the presence of a zero-day exploit. Watering Hole allows to overcome this difficulty compromising and infect a website victim is likely to visit.

What to expect from the future?

Security experts have no doubts, the number of watering hole attacks is destined grow in the next months due the large diffusion of exploit kits in the black market and despite the impairment of a target website is much more difficult of other methods of attack.

Pierluigi Paganini

(Security Affairs – Watering Hole attack)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

2 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

14 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

18 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

23 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

This website uses cookies.