Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:10 PM
Connect Directly

Researchers Uncover Unsophisticated - But Creative - Watering-Hole Attack

Holy Water campaign is targeting users of a specific religious and ethnic group in Asia, Kaspersky says.

A new malware distribution campaign targeted at users in Asian countries is the latest reminder of why attacks don't always have to be sophisticated to be effective.

The campaign involves the use of watering-hole websites to drop malware on systems belonging to members of a certain Asian religious and ethnic group. The watering holes have been established on more than 10 websites belonging to individuals, voluntary programs, charities, and other organizations related to the targeted religious group. All that users need to do to for malware to be downloaded on their systems is to simply visit the compromised websites.

Researchers from Kaspersky first spotted the campaign last December and have named it "Holy Water." In an advisory this week, the security vendor described the campaign as ongoing and involving the use of an unsophisticated but creative toolset that includes open source code, GitHub distribution, and the use of Go language and Google Drive-based command and communication channels.

According to Kaspersky, when a visitor lands on one of the watering holes, an already compromised component on it loads a malicious JavaScript that harvest information about the visitor's system and sends it off to an external attacker-controlled server. The external server vets the system information to determine whether the user is of potential interest.

If the user is identified as being of interest, another JavaScript loads a plugin that in turn triggers a pop-up urging the user to update their Adobe Flash software. Users who click on the pop-up end up having a backdoor called "Godlike12" installed on their systems. The malware allows the threat actor to take complete remote control of the infected device to steal sensitive data, modify files, gather logs, and conduct other malicious activity, Kaspersky said.

The threat group behind the campaign has also been using a second, modified version of an open source Python backdoor named "Stitch" in the attacks. This backdoor provides the attackers a way to exchange encrypted information with the command-and-control server, the security vendor said in its alert.

Ivan Kwiatkowski, senior security researcher at Kaspersky, says the motive for the Holy Water campaign remains unclear. But it is almost certainly not financially motivated. "Based on the extreme focus of this campaign, we assert that their objective was to gather intelligence on the target population," he says.

Creative Tactics
What makes the campaign different is how creative the attackers have been in their choice of tools, Kwiatkowski says. The Holy Water campaign has been leveraging free, third-party services instead of a proper infrastructure and made use of modified open source backdoors in its early phases.

"To us, this indicates that the attackers had to work with limited funding but were able to find ways to conduct their operations anyway," he says.

None of the tools that Kaspersky found the group using contain any state-of-the-art features. "But it is obvious that the group behind this campaign was able to achieve operational efficiency in a short time span," he says.

Kwiatkowski says Kaspersky has not been able to determine how the attackers initially compromised the websites that are being used as watering holes and planted malware on them. It is likely, though, that they exploited some software vulnerability. All of the water-holed websites that Kaspersky discovered were running WordPress, and a few of them were also hosted on the same IP address, he says.

Kaspersky has also not been able to confirm what information exactly the attackers are looking for in order to determine whether a visitor to one of the watering-hole websites is of interest to them. But based on the system information that is sent to the remote server, it appears the attackers are choosing their victims based on where they are located geographically.

The Holy Water campaign is a reminder why website administrators should keep their software stack up-to-date and have controls for detecting traces of compromise on their machines. "In the case of water-holing attacks, we recommend that measures are taken to detect any unplanned modification to the website's pages," Kwiatkowski says.

Websites that support at-risk communities need to pay attention to such campaigns as well, he adds. "[Such sites] are liable to be targeted as well because they are, in a way, access vectors to potential victims." Kwiatkowski says.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Untangling Third-Party Risk (and Fourth, and Fifth...)."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Healthcare Industry Sees Respite From Attacks in First Half of 2020
Robert Lemos, Contributing Writer,  8/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: It's a technique known as breaking out of the sandbox kids.
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-13
ABBYY network license server in ABBYY FineReader 15 before Release 4 (aka allows escalation of privileges by local users via manipulations involving files and using symbolic links.
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_json_stringify_iterator in njs_json.c.
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, allows control-flow hijack in njs_value_property in njs_value.c. NOTE: the vendor considers the issue to be "fluff" in the NGINX use case because there is no remote attack surface.
PUBLISHED: 2020-08-13
An Uncontrolled Search Path Element (CWE-427) vulnerability in SmartControl version 4.3.15 and versions released before April 15, 2020 may allow an authenticated user to escalate privileges by placing a specially crafted DLL file in the search path. This issue was fixed in version 1.0.7, which was r...
PUBLISHED: 2020-08-13
Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.