Watering Holes and Zero-Day Attacks

The term “Watering Hole” has become a popular way to describe targeted malware attacks in which the attackers compromise a legitimate website and insert a “drive-by” exploit in order to compromise the website’s visitors. Two recent papers by our friends at RSA and Symantec documented such attacks.

Of course, such attacks are not new. This technique has long been used by indiscriminate cybercriminal attacks as well as targeted malware attacks. I documented the use of such techniques in 2009 and 2010 and there have been more recent cases as well.

While cybercriminals use “drive-by” exploits to indiscriminately compromise as many computers as they can, the use of this technique in relation to APT activity is what Shadowserver aptly described as “strategic web compromises”. The objective is to selectively target visitors interested in specific content. Such attacks often emerge in conjunction with a new drive-by exploit.

Recently, a zero-day exploit affecting Microsoft’s Internet Explorer was discovered on a server associated with the Nitro campaign – the same server that was recently used to serve a Java zero-day exploit. The payload (in both cases) was Poison Ivy. A second site hosting the Internet Explorer zero-day was soon discovered, however, the payload of that site was PlugX.

In total, we have found at least 19 websites that contained the IE zero-day exploit. While it is difficult to determine with absolute certainty, at least some of these sites appear to be “watering hole” attacks.


It is interesting to note that these 19 sites cluster into 14 groups. In other words, other than the common use of this exploit, there is no apparent connection between any them. Looking at 11 of these groups, we found 11 different payloads (we were unable to collect the payload for 3 of the sites).

In addition to the Nitro-related Poison Ivy as well as the PlugX RATs discussed above, we found some additional familiar RATs as well as some unfamiliar (at least to me) malware. One of the recognizable RATs, found as the payload of invitation.{BLOCKED}as.com, is known as “DRAT” remote access Trojan, which is RAT developed by “Dark Security Team” and is widely available on the Internet.

DRAT is a full featured RAT that gives the attackers full control of a compromised computer. This DRAT was configured to connect to {BLOCKED}le.moo.com ({BLOCKED}.{BLOCKED}.229.82).

Another interesting Trojan dropped by a compromise defense news website appears to be connected to the “Elderwood” attackers. The packer used in this case is the same packer used by the Hydraq Trojan, which is infamous for its role in the “Aurora” attacks on Google and 30 other companies. In addition, this Trojan (known as “Naid”) was also the payload of an exploit embedded in a compromised human rights group’s website in June 2012. In this case, a compromised defense related news site hosting the IE 0day exploit dropped the “Naid” Trojan, which connected to support.{BLOCKED}b.com ({BLOCKED}.{BLOCKED}.170.163).

The use of the same 0day exploit by a diversity of threat actors within a short period of time may indicate that the exploit was shared or sold by its developers to multiple operators. Often, a 0day exploit is used by one particular campaign and trickles out to other threat actors, but, by that time a patch is available for the vulnerability. This distribution model used in this IE 0day is designed for maximum impact as a wide variety of operators are able conduct attacks against their own targets of interest while no patch is available for the vulnerability.

With additional text from Senior threat researcher Jessa dela Torre

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Watering Holes and Zero-Day Attacks

Read more: Watering Holes and Zero-Day Attacks

Incoming search terms

Story added 23. October 2012, content source with full text you can find at link above.