ltechnologygroup.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.
On March 16th, we discovered a premeditated waterhole campaign that
hosts exploits and malware on websites frequented by a specific target
group. In this case the target includes Chinese dissidents. For the
attacker, this approach is highly attractive since it is very
difficult to discover the attacker’s identity. Moreover, this attack
is a form of social engineering, leveraging the fact that the target
group visits specific websites. By exploiting these “watering holes”
the attacker benefits by investing little time in targeting.
This attack exploits a fresh vulnerability (CVE-2013-1288,
in Internet Explorer 8—just four days after Microsoft released a
patch. Why did attackers use a fresh vulnerability? Cost could be a
factor. Zero-days tend to be expensive to either research or purchase
on black markets.
We found this exploit being employed in attacks on two hacked
Chinese news websites known to promote dissidence against the Chinese
government. This is clearly a targeted attack on a very narrow portion
of the Chinese populous. However, since cyber attackers are quick
copycats, we expect this exploit to be replicated quickly. For this
reason, anyone using IE 8 must install a patch immediately or upgrade
their browser to new versions. Today, according to W3Schools.com,
IE is the third most popular browser with about 15% market share. In
addition, IE 8 is used by half of all IE users.
Based on the similarity in TTPs (Tools, Techniques, and Procedures),
we believe the threat actor is the same as the one behind previous
watering hole attacks targeting activists and people with certain
political affiliations. In the past this campaign has used various
hacked websites such as the Council on Foreign Relations or CFR,
Without Borders, and a leading American university (that we
In general, based on our observations, this watering hole attack is
like many others we have observed: highly targeted and hard to
trace—indicative of a very sophisticated attacker. Why? The attack:
- Used hacked websites to deliver the exploit to targeted groups
of people. In this case it particularly targets certain group of
Chinese speaking people.
- Used hacked website to host
exploit code and malware payload, and also second stage of payload,
which makes it very hard to trace the origin of the attack.
- Takes tremendous effort to compromise websites relevant to the
target group. It would require knowledge of web application
- Leverages the zero-day exploits and fresh
- Was multi-stage, and the second stage of payload is
encrypted and downloaded from a 404-like response page, and is
injected dynamically. Once they shut down the operation, it’s hard
to trace the attacker’s intention.
The exploit code is hosted on a hacked religious website. This
site hosts both IE (CVE-2013-1288)
and Java exploits (CVE-2013-0422,
On mining our database we found that the web server has a history of
hosting malware. We will focus on the chain of execution for the
exploit. The first part of the exploit checks the language of browser,
and constructs two separate ROP chains for English and Chinese
languages as shown in Figure 2. The second part of the exploit is
obfuscated and it triggers the vulnerability. Upon successful
exploitation it will download a file dd.exe from the same server and
The file dd.exe (651fad35d276e5dedc56dfe7f3b5f125) is the stage 1
payload and makes the request show in in Figure 3. The response to
this request is a HTML page. In the case of Java exploit we found it
The HTML page displays a page not found message repeatedly using a
script on the page if opened in the browser.
Interestingly the html page returned also contains Base64 encoded
data within a script tag, which is in fact the stage 2 payload. This
Base64 encoded data is decrypted and written to %AppData%network.inf.
The decoded file is read in another part of the code and is subject to
further transformations. The first 68 bytes of this the decoded data
contains the decryption routine shown in Figure 5. It uses a rolling
byte XOR decryption scheme and applies it to the data starting at
offset 69. The decrypted data is position independent code, which is
injected into an instance of iexplorer.exe launched in suspended state.
This injected second stage payload is a Backdoor PoisonIvy RAT also
discovered in other similar watering hole campaigns. This code
attempts to connect to a remote server in Hong Kong over port 443. It
uses a dynamic DNS provider with the hostname dd.tc.ikwb.com, which
translates to 188.8.131.52. The server is not responding at the time
of analysis. We found other domains associated with this IP address on
robtex.com as shown in Figure 6.
Similarity to previous watering hole campaigns:
Let us examine the techniques and code used in the current campaign
and correlate it with previous attacks. It sets a cookie and forwards
to the appropriate exploit page based on the version of the browser as
shown in the code snippet below. This same cookie was found being set
in earlier campaigns as well.
When we examine the Java exploit chain of execution we noticed that
the code is similar and it re-uses the same naming convention, namely
“AppletHigh.jar” and “AppletLow.jar” as shown in the code snippet
below. The classnames and vulnerabilities used are also the same.
The exploit traffic for three different campaigns is shown in Table
1. It is evident right away that there are similarities in the URI
scheme and the exploit naming convention for Java attacks for the U.S.
university and Chinese news site attacks. They both use AppletHigh.jar
As also noted by Jindrich Kubec and Eric Romang on their blog,
today.swf from CFR attack was replaced by logo1229.swf. Similarly,
news.html was replaced by DOITYOUR02.html and robots.txt was replaced
by DOITYOUR01.txt. This establishes the similarity between the U.S.
university attacks and the CFR attack.
In summary, the previous watering hole campaigns have the following
similarities with the current attack:
- The websites used for watering hole and hosting payloads are
always compromised sites.
- It sets a cookie with 1 day
expiration and the name ‘Somethingbbbbb’.
- It checks the
browser and its version.
- If the browser is Internet
Explorer and IE8, it delivers exploit targeting IE8(CVE-2013-1288)
otherwise it triggers a java exploit based on the java version
- It uses similar naming conventions for exploit
files. For example, if the java version is 7 or above
it serves CVE-2013-0422 through AppletHigh.jar and else it
serves CVE-2011-3544 through AppletLow.jar.
- The URI
patterns are similar across campaigns.
- Similar RAT payloads
were used in previous campaigns.
Our very own Darien Kindlund has done a detailed
study on such premeditated watering hole attacks and mitigation
strategies, which is a good read.
We want to acknowledge Microsoft’s MAPP
program for sharing intelligence with partners and helping us protect
At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.
Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group, https://www.ltechnologygroup.com.