Kaspersky researchers discovered a watering-hole campaign targeting users in Asia since May 2019
More than 10 websites related to religion, voluntary programs, charity, and several other areas were compromised to selectively trigger a drive-by download attack resulting in a backdoor set up on the targets’ devices. Attackers used a creative toolset, which included GitHub distribution and the use of open-source code.
A watering hole is a targeted attack strategy in which cybercriminals compromise websites that are considered to be fertile ground for potential victims and wait for the planted malware to end up on their computers. In order to be exposed to the malware, a user needs to simply visit a compromised website, which makes this type of attack easy to spread and thus more dangerous. In the campaign named by Kaspersky researchers as Holy Water, water-holes have been set-up on websites that belong to personalities, public bodies, charities and various organizations.
This multi-stage waterhole attack with an unsophisticated but creative toolset is distinctive due to its fast evolution since its inception date, as well as the wide range of tools used.
Upon visiting one of the water-holing websites, a previously compromised resource will load an obfuscated malicious JavaScript, which gathers information about the visitor. An external server then ascertains whether the visitor is a target. If the visitor is validated as a target, the second JavaScript stage will load a plugin, which in turn will trigger a download attack, showing a fake Adobe Flash update pop-up.
The visitor is then expected to be lured into the update trap, and download a malicious installer package that will set up a backdoor named ‘Godlike12’, thus providing the threat actor with full remote access to the infected device, enabling them to modify files, harvest confidential data from the computer, log activity on the computer and more. Another backdoor, a modified version of the open-source Python backdoor called Stitch, was also used in the attack. It provided classic backdoor functionalities by establishing a direct socket connection to exchange AES-encrypted data with the remote server.
The fake Adobe Flash pop-up was linked to an executable file hosted on github.com under the guise of a Flash update file. GitHub disabled this repository on the 14th of February 2020 after Kaspersky reported it to them, thus breaking the infection chain of the campaign. The repository has, however, been online for more than 9 months, and thanks to GitHub’s commit history, the researchers were able to gain unique insight on the attacker’s activity and tools.
This campaign stands out due to its low-budget and not fully developed toolset, which has been modified several times in a few months to leverage interesting features like Google Drive C2. Kaspersky characterizes the attack as likely being the work of a small, agile team.
Ivan Kwiatkowski, a senior security researcher at Kaspersky said, “Watering hole is an interesting strategy that delivers results using targeted attacks on specific groups of people. We were not able to witness any live attacks and thus could not determine the operational target. However, this campaign once again demonstrates why online privacy needs to be actively protected. Privacy risks are especially high when we consider various social groups and minorities because there are always actors that are interested in finding out more about such groups”.
To avoid falling victim to targeted attacks on organizations or persons, Kaspersky recommends the following:
- If possible, avoid using Adobe Flash Player. If it is not possible, and you are asked to update it, check on the official website of the product whether it needs an update, as the product is no longer used by most sites and most likely, the update disguises something malicious.
- Use a VPN to hide your association with a specific group by masking your real IP address and hiding the real location you are at.
- Choose a proven security solution for effective personal protection against known and unknown threats.
- Provide your Security Operations Center (SOC) team with access to the latest threat intelligence, and stay up to date with new and emerging tools, techniques and tactics used by threat actors and cybercriminals.
- For endpoint level detection, investigation and timely remediation of incidents, implement EDR solutions.
- In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage.