Attackers managed to load malware onto the website of a prominent company involved in the development of simulation and systems engineering software widely used within the automotive, aerospace and manufacturing industries.
These types of attacks are referred to as watering holes because, like a predator waiting passively near a water source to ambush prey, attackers compromise a site likely frequented by their intended victim. When the target visits the compromised site, he is infected with malware designed to pilfer intellectual property or establish a presence within a targeted network.
According to an Alien Vault report penned by Jaimie Blasco, attackers compromised the unnamed website with a string of code that would load a malicious Javascript file onto the machines of visitors from a remote server. Contained within that file is a reconnaissance tool known as “Scanbox.”
After infection, Blacsco writes that Scanbox checks the compromised machine for the website referer, User-Agent, Location, Cookie, Title (to identify specific content that the victim is visiting), Domain, CharsetScreen, width and height, Operating System, and Language. Before transmitting this data along to the command and control server, Scanbox encodes and encrypts the acquired data.
Blasco says the recon tool also contains a number of additional plugins designed to steal other valuable data.
One plugin checks to see which software – security software in particular – and what version of Microsoft’s enhanced mitigation experience toolkit are present on an infected machine. Other plugins enumerate Adobe Flash, Microsoft Office, Adobe Reader and Java versions respectively. Yet another plugin is a Javascript based keylogger.
“While the user is browsing the compromised website, all keystrokes are being recorded and sent to the C&C periodically,” Blasco writes. “It will also send keystrokes when the user submits web forms that can potentially include passwords and other sensitive data.”