The compromised website was first discovered by a malware hunter goes by Twitter handle @PhysicalDrive0.
Michael Gorelik and Assaf Kachlon, Security researchers from Morphisec Labs, began investigating the issue and found out that the company’s corporate site was hacked and hackers injected an embedded Adobe Flash file which exploits the CVE-2018-4878 flash vulnerability.
“The watering hole attack Morphisec investigated, exhibited very advanced evasive characteristics – the attack was purely fileless, without persistence or any trace on the disk, and used custom protocol on a non-filtered port. Generally, this advanced type of watering hole attack is highly targeted in nature and suggests that sophisticated threat actors are behind it” said in the blog post published by Morphisec Labs.
Image of the compromised website with embedded code
The flash exploit used in this attack is similar to the previous attacks based on CVE-2018-4878 flash vulnerability.The difference is that shellcode is executed post exploitation.
The shellcode executes rundll32.exe, a legitimate Windows process, which overwrites its memory with malicious code. The malicious code then downloads an additional code directly into the memory of the same rundll32 process.
The additional code downloaded includes Metasploit Meterpreter and Mimikatz modules. Most of the modules were compiled on February 15th which was one week before the attack.
Researchers also said the C&C server was found using a custom protocol over 443 to communicate with the victim.
Morphisec Labs has alerted the company about the issue, and the malicious flash file was removed from the website.
“As our analysis shows, this watering hole attack is of advanced evasive nature. Being purely fileless, without persistence or any trace on the disk, and the use of custom protocol on a non-filtered port, makes it a perfect stepping stone for a highly targeted attack chain. This clearly suggests that very advanced threat actors are responsible for it”.