Nowadays, many people probably recognize exploit of vulnerabilities in publicly exposed assets such as VPN and firewalls as the attack vector. In fact, many security incidents reported to JPCERT/CC also involve such devices. This is because vulnerabilities in VPN devices are exploited not only by APT groups but also by many other groups such as ransomware actors and cyber crime actors, and the number of incidents is high accordingly. As the number of security incidents arising from these specific attack vectors increases, on the other hand, people tend to forget about countermeasures for other attack vectors. Attackers use a variety of methods to conduct attacks, including email, websites, and social networking services. Figure 1 shows a timeline of security incidents related to targeted attacks that JPCERT/CC has confirmed.
As you can see from this figure, there are many methods used for penetrating networks. In this article, we will introduce two cases of watering hole attacks in Japan that received little attention in recent years. We hope that you will find these security incidents useful when planning your security measures. Part 1 covers a case in which the website of a university research laboratory was exploited in 2023.
Flow of the attack
Figure 2 shows the flow of the watering hole attack. When a user accesses a tampered website, a fake Adobe Flash Player update screen is displayed, and if the user downloads and executes the file as instructed, their computer becomes infected with malware.
The infected website has JavaScript embedded, as shown in Figure 3, and when the user accesses the site, a Japanese pop-up message is displayed.
One of the characteristics of this watering hole attack is that it did not exploit vulnerabilities for malware infection but used a social engineering technique to trick users who accessed the site into downloading and executing the malware by themselves.
Malware used in the attack
FlashUpdateInstall.exe, the malware downloaded in this attack, displays a decoy document as shown in Figure 4, and has the function to create and execute the core malware (system32.dll). The decoy document is a text file, and it contains a string of text indicating that the update of Adobe Flash Player was successful.
The created system32.dll is injected into the Explorer process (Early Bird Injection). This DLL file was distinctive as it had been tampered by Cobalt Strike Beacon (version 4.5) to have a watermark of 666666. For detailed configuration information on Cobalt Strike, please see Appendix D.
Examples of attacks by the same group
The attack group involved in this watering hole attack is unknown. The C2 server was hosted on Cloudflare Workers, Cloudflare’s edge serverless service. In addition, we have confirmed that the same attacker is conducting other attacks. Figure 5 shows the behavior of other types of malware confirmed through our investigation of C2 servers.
Look at Figure 5. In the first example, the attacker disguised the file name as a file from the Ministry of Economy, Trade and Industry, and a document released by the Ministry was used as a decoy. In addition, the malware (Tips.exe) used in the second example had the feature to allow options to be specified on execution. Options that can be specified are as follows.
- –is_ready: Setup mode
- –sk: Disable anti-analysis function
- –doc_path: Folder to save decoy documents
- –parent_id: Process ID of the malware
- –parent_path: Execution path of the malware
- –auto: Malware execution mode
"C:\Users\Public\Downloads\Tips.exe" --is_ready=1 --sk=0 --doc_path='[current_path]' --parent_id=[pid] --parent_path='[malware_file]'
This sample used a rarely seen technique: using EnumWindows and EnumUILanguages functions when executing the DLL file.
Furthermore, the malware can stop antivirus software (process name: avp.exe) and has a function to detect the following as an anti-analysis function.
- Whether there are more than 40 processes
- Whether the memory size is larger than 0x200000000 (approx. 8G)
- Whether any of the following are included in the physical drive name
- VBOX
- Microsoft Virtual Disk
- VMWare
In Closing
We hope this article will be helpful for you to consider your security measures. In Part 2, we will continue to introduce cases of watering hole attacks.
Kota Kino, Shusei tomonaga
(Translated by Takumi Nakano)
Appendix A:C2 servers
- www.mcasprod.com
- patient-flower-ccef.nifttymailcom.workers.dev
- patient-flower-cdf.nifttymailcom.workers.dev
Appendix B:Malware hash value
Jack Viewer
- 791c28f482358c952ff860805eaefc11fd57d0bf21ec7df1b9781c7e7d995ba3
- a0224574ed356282a7f0f2cac316a7a888d432117e37390339b73ba518ba5d88
Cobalt Strike 4.5
- 7b334fce8e3119c2807c63fcc7c7dc862534f38bb063b44fef557c02a10fdda1
Decoy File
- 284431674a187a4f5696c228ce8575cbd40a3dc21ac905083e813d7ba0eb2f08
- df0ba6420142fc09579002e461b60224dd7d6d159b0f759c66ea432b1430186d
Infected Website
- 3bf1e683e0b6050292d13be44812aafa2aa42fdb9840fb8c1a0e4424d4a11e21
- f8ba95995d772f8c4c0ffcffc710499c4d354204da5fa553fd33cf1c5f0f6edb
Appendix C:PDB
- C:\Users\jack\viewer\bin\viewer.pdb
Appendix D:Cobalt Strike Config
dns False
ssl True
port 443
.sleeptime 45000
.http-get.server.output 0000000400000001000005f200000002000000540000000200000f5b0000000d0000000f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
.jitter 37
publickey 30819f300d06092a864886f70d010101050003818d0030818902818100daca3d111909f81f4a40d3b0648bb079f2d89b3d579016fe4da97055d2975bf4d633de34346e82948450a222eb92102fe866fd6b5ec2f633c032c124aa5824bee30825fa6ac2d9abef369280076174ee12caa72bbacab906b80c29e89f82380f5e8c45a287c6874b58cc0d1d28332c92de35e21ad4817667bd10b997b345f985020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
.http-get.uri patient-flower-ccef.nifttymailcom.workers.dev,/jquery-3.3.1.min.js
67 0
68 4294967295
69 4294967295
70 4294967295
.spawto
.post-ex.spawnto_x86 %windir%\syswow64\dllhost.exe
.post-ex.spawnto_x64 %windir%\sysnative\dllhost.exe
.cryptoscheme 0
.http-get.verb GET
.http-post.verb POST
shouldChunkPosts 0
.watermark 666666
36 MYhXSMGVvcr7PtOTMdABvA==
.stage.cleanup 1
CFGCaution 0
71 0
72 0
73 0
.user-agent Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
.http-post.uri /jquery-3.3.2.min.js
.http-get.client
GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
#Referer: http://cdn.nifttymail.com/
__cfduid= Cookieate
.http-post.client
GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
#Referer: http://cdn.nifttymail.com/
__cfduid deflate
host_header Host: patient-flower-ccef.nifttymailcom.workers.dev
cookieBeacon 1
.proxy_type 2
58 0005800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
57 0005800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
funk 0
killdate 0
text_section 1