Compared to the classical phishing and social engineering attacks, the term watering hole attack is seldom given any attention by cybersecurity websites. It is a coverage something we need to amend, as contrary to the popular notion that such a campaign is very rare. It is a common occurrence but received less coverage than more dramatic cybersecurity issues like ransomware, crypto mining, and banking trojan infection stories.
Besides, the victims in the story make a lot of marks if it will be picked up by the media and popular cybersecurity news website. Of course, we disregard who are the victims and where they are located, if a news story is relevant in making our readers well informed of the global cybersecurity atmosphere. This time around, we tell you the story about the three-year-old watering hole exploit campaign that is still active today against Chinese-speaking computer users based-on the research conducted by Fortinet.
Watering hole attacks are cyber-attacks designed to target a specific group of people with a common interest, traits and hobbies/capabilities. The target of the watering hole campaign which started in 2017 is Chinese-speaking people living outside the mainland. U.S. based Chinese news sites organized to capture the Chinese-speaking market were hacked, websites have started to include phishing links, including dodgy contact information where users expect to contact the sites’ admins.
The penetration of cybercriminals was made possible by the unpatched RTF vulnerability and Winrar flaw under CVE-2017-11882 and CVE-2018-20250, respectively. The Winrar exploit is pulled-off by having another malware named Sality inject itself as payloads of legitimate files. It was then later revealed that through this technique invocation of regsvr32.exe is possible which then forces the computer to connect to the malware’s command and control server 154.222.140[.]49. From there, additional virus modules are downloaded, including the Sality malicious code which is a full-fledged backdoor virus on its own.
According to Yue-Ting Chen, who writes for Fortinet’s official blog page, the following are backdoor functionalities of Sality:
- Collects system information
- Collects disk hardware information
- Collects a directory list under a specific directory
- Collects a file list in a specific directory
- Collects an installed program list
- Collects a processes list
- Collects data from a different application, such as Skype, Fetion, SogouInput, SogouDesktopBar, etc.
- Collects network adapter information
- Searches for files
- Collects screenshots
- Creates a reverse shell
- Downloads files
- Gets a collected file MD5 hash
- Collects clipboard text
- Collects CPU information
“FortiGuard Labs investigated a campaign centered around a hacked Chinese news site. Threat actor(s) hacked the news website and injected fake links. A phishing link was also injected onto the same website. As of the time of this writing, its dynamically loaded malicious script is still running. The backdoor malware used in this campaign has been seen in the wild since 2017, and samples use regular Chinese application names,” explained the report.
Command and control servers used by Sality malware: (Please don’t visit, webpages below may trigger infection):