March 31, 2020

Kaspersky uncovers a creative water hole attack discovered in the wild


Woburn, MA – March 31, 2020 – Kaspersky researchers discovered a watering hole campaign, named Holy Water, targeting users in Asia since May 2019.More than 10 websites related to religion, voluntary programs, charity and several other areas have been compromised to selectively trigger a download attack resulting in a backdoor set up on the targets’ devices. Attackers use a creative toolset including GitHub distribution and use of open source code.

A watering hole is a targeted attack strategy in which cyber criminals compromise websites that are considered to be fertile ground for potential victims, and wait for the planted malware to end up on their computers. In order to be exposed to the malware, a user needs to simply visit a compromised website, which makes this type of attack easy to spread and thus more dangerous.

In this campaign named by Kaspersky researchers as Holy Water, water holes have been set up on websites that belong to personalities, public bodies, charities and various organizations. This particular multi-stage waterhole attack is unsophisticated, yet creative and distinct due to its fast evolution since its inception date, as well as the wide range of tools used.

Upon visiting one of the water hole websites, a previously compromised resource will load an obscured malicious JavaScript, which gathers information about the visitor. An external server then determines whether the visitor is a target. If the visitor is validated as a target, the second JavaScript stage will load a plugin, which in turn triggers a download attack showing a fake Adobe Flash update pop-up.

The visitor is then expected to fall into the update trap, and download a malicious installer package that will set up a backdoor named ‘Godlike12.’ This provides the threat actor with full remote access to the infected device enabling them to modify files, harvest confidential data, log activity and more. Another backdoor, a modified version of the open-source Python backdoor called Stitch, is also used in the attack. It provides classic backdoor functionalities by establishing a direct socket connection to exchange AES-encrypted data with the remote server.

In this campaign, the fake Adobe Flash pop-up is linked to an executable file hosted on github.com under the guise of a Flash update file. GitHub disabled this repository on February 14 of this year after Kaspersky reported it to them, thus breaking the infection chain of the campaign. The repository has been online for more than 9 months, and thanks to GitHub’s cooperation, Kaspersky researchers were able to gain unique insight on the attacker’s activity and tools.

Holy Water stands out due to its low-budget and undeveloped toolset, which has been modified several times in a few months to leverage interesting features like Google Drive C2. Kaspersky characterizes the attack as likely being the work of a small, agile team.

“A watering hole is an interesting strategy that delivers results using targeted attacks on specific groups of people,” said Ivan Kwiatkowski, Kaspersky senior security researcher. “We were not able to witness any live attacks and thus could not determine the operational target. However, this campaign once again demonstrates why online privacy needs to be actively protected. Privacy risks are especially high when we consider various social groups and minorities because there are always actors that are interested in finding out more about such groups.

To read more about Holy Water, please visit Securelist.com.

About Kaspersky

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.

Media Contact:

Cassandra Faro

Cassandra.Faro@Kaspersky.com

781-503-1812