On March 16th, we discovered a premeditated waterhole campaign that hosts exploits and malware on websites frequented by a specific target group. In this case the target includes Chinese dissidents. For the attacker, this approach is highly attractive since it is very difficult to discover the attacker’s identity. Moreover, this attack is a form of social engineering, leveraging the fact that the target group visits specific websites. By exploiting these “watering holes” the attacker benefits by investing little time in targeting.
This attack exploits a fresh vulnerability (CVE-2013-1288, MS13-021) in Internet Explorer 8—just four days after Microsoft released a patch. Why did attackers use a fresh vulnerability? Cost could be a factor. Zero-days tend to be expensive to either research or purchase on black markets.
We found this exploit being employed in attacks on two hacked Chinese news websites known to promote dissidence against the Chinese government. This is clearly a targeted attack on a very narrow portion of the Chinese populous. However, since cyber attackers are quick copycats, we expect this exploit to be replicated quickly. For this reason, anyone using IE 8 must install a patch immediately or upgrade their browser to new versions. Today, according to W3Schools.com, IE is the third most popular browser with about 15% market share. In addition, IE 8 is used by half of all IE users.
Based on the similarity in TTPs (Tools, Techniques, and Procedures), we believe the threat actor is the same as the one behind previous watering hole attacks targeting activists and people with certain political affiliations. In the past this campaign has used various hacked websites such as the Council on Foreign Relations or CFR, Reporters Without Borders, and a leading American university (that we cannot name).
In general, based on our observations, this watering hole attack is like many others we have observed: highly targeted and hard to trace—indicative of a very sophisticated attacker. Why? The attack:
- Used hacked websites to deliver the exploit to targeted groups of people. In this case it particularly targets certain group of Chinese speaking people.
- Used hacked website to host exploit code and malware payload, and also second stage of payload, which makes it very hard to trace the origin of the attack.
- Takes tremendous effort to compromise websites relevant to the target group. It would require knowledge of web application security.
- Leverages the zero-day exploits and fresh exploits.
- Was multi-stage, and the second stage of payload is encrypted and downloaded from a 404-like response page, and is injected dynamically. Once they shut down the operation, it’s hard to trace the attacker’s intention.
The exploit code is hosted on a hacked religious website. This site hosts both IE (CVE-2013-1288) and Java exploits (CVE-2013-0422, CVE-2011-3544). On mining our database we found that the web server has a history of hosting malware. We will focus on the chain of execution for the exploit. The first part of the exploit checks the language of browser, and constructs two separate ROP chains for English and Chinese languages as shown in Figure 2. The second part of the exploit is obfuscated and it triggers the vulnerability. Upon successful exploitation it will download a file dd.exe from the same server and execute it.
The file dd.exe (651fad35d276e5dedc56dfe7f3b5f125) is the stage 1 payload and makes the request show in in Figure 3. The response to this request is a HTML page. In the case of Java exploit we found it serving 9ac8277b848496b28279f57cb959e2fb.
The HTML page displays a page not found message repeatedly using a script on the page if opened in the browser.
Interestingly the html page returned also contains Base64 encoded data within a script tag, which is in fact the stage 2 payload. This Base64 encoded data is decrypted and written to %AppData%\network.inf. The decoded file is read in another part of the code and is subject to further transformations. The first 68 bytes of this the decoded data contains the decryption routine shown in Figure 5. It uses a rolling byte XOR decryption scheme and applies it to the data starting at offset 69. The decrypted data is position independent code, which is injected into an instance of iexplorer.exe launched in suspended state.
This injected second stage payload is a Backdoor PoisonIvy RAT also discovered in other similar watering hole campaigns. This code attempts to connect to a remote server in Hong Kong over port 443. It uses a dynamic DNS provider with the hostname dd.tc.ikwb.com, which translates to 126.96.36.199. The server is not responding at the time of analysis. We found other domains associated with this IP address on robtex.com as shown in Figure 6.
Similarity to previous watering hole campaigns:
Let us examine the techniques and code used in the current campaign and correlate it with previous attacks. It sets a cookie and forwards to the appropriate exploit page based on the version of the browser as shown in the code snippet below. This same cookie was found being set in earlier campaigns as well.
When we examine the Java exploit chain of execution we noticed that the code is similar and it re-uses the same naming convention, namely “AppletHigh.jar” and “AppletLow.jar” as shown in the code snippet below. The classnames and vulnerabilities used are also the same.
The exploit traffic for three different campaigns is shown in Table 1. It is evident right away that there are similarities in the URI scheme and the exploit naming convention for Java attacks for the U.S. university and Chinese news site attacks. They both use AppletHigh.jar and AppletLow.jar.
As also noted by Jindrich Kubec and Eric Romang on their blog, today.swf from CFR attack was replaced by logo1229.swf. Similarly, news.html was replaced by DOITYOUR02.html and robots.txt was replaced by DOITYOUR01.txt. This establishes the similarity between the U.S. university attacks and the CFR attack.
In summary, the previous watering hole campaigns have the following similarities with the current attack:
- The websites used for watering hole and hosting payloads are always compromised sites.
- It sets a cookie with 1 day expiration and the name 'Somethingbbbbb'.
- It checks the browser and its version.
- If the browser is Internet Explorer and IE8, it delivers exploit targeting IE8(CVE-2013-1288) otherwise it triggers a java exploit based on the java version installed.
- It uses similar naming conventions for exploit files. For example, if the java version is 7 or above it serves CVE-2013-0422 through AppletHigh.jar and else it serves CVE-2011-3544 through AppletLow.jar.
- The URI patterns are similar across campaigns.
- Similar RAT payloads were used in previous campaigns.
Our very own Darien Kindlund has done a detailed study on such premeditated watering hole attacks and mitigation strategies, which is a good read.
We want to acknowledge Microsoft’s MAPP program for sharing intelligence with partners and helping us protect our customers.