Attackers managed to load malware onto the website of a prominent company involved in the development of simulation and systems engineering software widely used within the automotive, aerospace and manufacturing industries.
These types of attacks are referred to as watering holes because, like a predator waiting passively near a water source to ambush prey, attackers compromise a site likely frequented by their intended victim. When the target visits the compromised site, he is infected with malware designed to pilfer intellectual property or establish a presence within a targeted network.
After infection, Blacsco writes that Scanbox checks the compromised machine for the website referer, User-Agent, Location, Cookie, Title (to identify specific content that the victim is visiting), Domain, CharsetScreen, width and height, Operating System, and Language. Before transmitting this data along to the command and control server, Scanbox encodes and encrypts the acquired data.
Blasco says the recon tool also contains a number of additional plugins designed to steal other valuable data.
“While the user is browsing the compromised website, all keystrokes are being recorded and sent to the C&C periodically,” Blasco writes. “It will also send keystrokes when the user submits web forms that can potentially include passwords and other sensitive data.”