2. The Content, Demonstration, Source Code and Programs
presented here is "AS IS" without any warranty or conditions
of any kind. Also the views/ideas/knowledge expressed here are
solely of the mine and nothing to do with the company or the
organization in which I am currently working.
However in no circumstances neither I or Cysinfo is
responsible for any damage or loss caused due to use or misuse
of the information presented here
4. Monnappa
Member of Cysinfo
Info Security Investigator @ Cisco
Reverse Engineering, Malware Analysis, Memory Forensics
Email: monnappa22@gmail.com
Twitter: @monnappa22
Linkedin: http://in.linkedin.com/pub/monnappa-ka-grem-ceh/42/45a/1b8
5. Image taken from: http://about-threats.trendmicro.com/RelatedThreats.aspx?language=au&name=Watering+Hole+101
6. Targeted attack posted by FireEye
http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-
compromises-us-veterans-of-foreign-wars-website.html
7.
8. The malicious html file checks for the presence of IE 10 with adobe flash. If the browser is IE 10 with flash installed then
it loads a malicious flash file (Tope.swf)
10. The image file downloaded is not a JPEG file (even though the extension is .jpg) but a PNG file, the below screenshot
shows the file header which confirms its be a PNG file
12. The end of the PNG file contains additional data, this embedded data is the xor encoded (with key 0x95) payload
starting at offset 0x8de1 (36321)
13. Simple script to extract and decode the additional content starting at offset 0x8de1 (36321).
14. Decoded content contains two embedded PE files. The below screenshot show the presence of first PE file at offset
0xc (12)
15. The below screenshot show the presence of second PE file at offset 0xA40C (41996)
16. Below snippet of code extracts the two PE files starting at offset 0xc (12) and 0xA40C (41996) and saves it to files
"malware1.bin" and "malware2.bin" respectively.
17. The first extracted PE file is a DLL and the Second PE file is a an EXE file (which is ZXShell
backdoor) as shown below.
18. Below screenshot shows the VirusTotal results for the sample (malware2.bin), which is a ZxShell
Backdoor
19. After executing the ZxShell Backdoor in the sandbox, the malware makes DNS queries to below
malicious domains and connect to it on port 443
