[AVTOKYO 2019] Find the Right Target: Recent Watering-Hole Attack Case Study and Analysis

In our presentation, we would like to talk about a recent attack perpetrated against Chinese speaking targets using a Watering-Hole attack. In April 2019, while monitoring a Chinese-targeted Trojan, we began to observe a Chinese news website being used by a Watering-Hole attack. Our presentation would dig deep and describe the infection chain and the actor activities about this recent case. The criminals behind this attack decided to use this site, despite it being banned by the Chinese government, and equipped it with different malicious contents, such as web shells, phishing links and even full-blown malware. This campaign used a custom Trojan, delivered by different exploit files, posing as a normal document. Within the domain analysis, we found out that one of the C2 IPs is used by another ongoing Android mobile malware campaign targeting Chinese speakers that deploys malicious ELF malware inside the APK file. The actor behind those campaigns abused different legitimate Chinese ISPs as C2 servers for his malware including both Windows and Android. Our analysis provides the infection chain of a watering-hole attack and the actor activities to steal information from Chinese speakers. We will dig more deeply to find out the actor and the actor’s purpose.

References

http://en.avtokyo.org/avtokyo2019/speakers#YuehTing_Chen