Left Menu
Development News Edition

Holy Water: A creative water-holing attack discovered by Kaspersky

Kaspersky researchers have discovered a watering-hole campaign targeting users in Asia since May 2019.

ANI | Washington DC | Updated: 01-04-2020 12:55 IST | Created: 01-04-2020 12:55 IST
Holy Water: A creative water-holing attack discovered by Kaspersky
Kaspersky logo. Image Credit: ANI

Kaspersky researchers have discovered a watering-hole campaign targeting users in Asia since May 2019. More than 10 websites related to religion, voluntary programs, charity, and several other areas were compromised to selectively trigger a drive-by download attack resulting in a backdoor set up on the targets' devices.

Attackers used a creative toolset, which included GitHub distribution and the use of open-source code. A watering hole is a targeted attack strategy in which cyber criminals compromise websites that are considered to be fertile ground for potential victims and wait for the planted malware to end up on their computers. In order to be exposed to malware, a user needs to simply visit a compromised website, which makes this type of attack easy to spread and thus more dangerous.

In the campaign named by Kaspersky researchers as Holy Water, water-holes have been set-up on websites that belong to personalities, public bodies, charities, and various organizations. This multi-stage waterhole attack with an unsophisticated but creative toolset is distinctive due to its fast evolution since its inception date, as well as the wide range of tools used.

Upon visiting one of the water-holing websites, a previously compromised resource will load an obfuscated malicious JavaScript, which gathers information about the visitor. An external server then ascertains whether the visitor is a target. If the visitor is validated as a target, the second JavaScript stage will load a plugin, which in turn will trigger a download attack, showing a fake Adobe Flash update pop-up.

The visitor is then expected to be lured into the update trap, and download a malicious installer package that will set up a backdoor named 'Godlike12', thus providing the threat actor with full remote access to the infected device, enabling them to modify files, harvest confidential data from the computer, log activity on the computer and more. Another backdoor, a modified version of the open-source Python backdoor called Stitch, was also used in the attack. It provided classic backdoor functionalities by establishing a direct socket connection to exchange AES-encrypted data with the remote server.

The fake Adobe Flash pop-up was linked to an executable file hosted on github.com under the guise of a Flash update file. GitHub disabled this repository on the 14th of February 2020 after Kaspersky reported it to them, thus breaking the infection chain of the campaign. The repository has, however, been online for more than 9 months, and thanks to GitHub's commit history, the researchers were able to gain unique insight on the attacker's activity and tools.

This campaign stands out due to its low-budget and not fully developed toolset, which has been modified several times in a few months to leverage interesting features like Google Drive C2. Kaspersky characterizes the attack as likely being the work of a small, agile team. "Watering hole is an interesting strategy that delivers results using targeted attacks on specific groups of people. We were not able to witness any live attacks and thus could not determine the operational target," said Kaspersky senior security researcher, Ivan Kwiatkowski.

"However, this campaign once again demonstrates why online privacy needs to be actively protected. Privacy risks are especially high when we consider various social groups and minorities because there are always actors that are interested in finding out more about such groups." Kaspersky recommends following a series of steps to avoid falling victim to targeted attacks on organizations or persons.

According to the organization, people should not update nor install Adobe Flash Player, as the product is no longer supported and most likely, the update disguises something malicious. In case it has been installed, Kaspersky recommends removing it as the technology is now obsolete. VPN must be used to hide the person's association with a specific group by masking the real IP address and hiding the real location you are at.

Kaspersky suggests that people choose a proven security solution such as Kaspersky Security Cloud for effective personal protection against known and unknown threats. The Security Operations Center (SOC) team must be provided with access to the latest threat intelligence, and to stay up to date with new and emerging tools, techniques and tactics used by threat actors and cybercriminals.

For endpoint level detection, investigation and timely remediation of incidents, implementation of EDR solutions such as Kaspersky Endpoint Detection and Response are advised. In addition to adopting essential endpoint protection, implementing a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform is also advised. (ANI)


TRENDING

OPINION / BLOG / INTERVIEW

Rethinking Rural Livelihoods in the Times of COVID-19

The reverse migration caused by COVID 19 pandemic has put an additional burden of about one crore people on Indian villages particularly in the states of Uttar Pradesh, Bihar, Bengal and Odisha. Besides increasing the risk of spreading the ...

‘Discounted Deaths’ and COVID 19: Anthropology of Death and Emotions

Death is a social event rather than the mere cessation of biological functions. As seen by anthropologists, death is not just physical but intensely social, cultural, and political....

Indigenous knowledge of communities a must for maximizing impact of community work

Generally, it has been observed that the majority of the academicians in higher education institutions neglect the wisdom of community people and throw their weight around thinking that they know everything and the community knows nothing. ...

In rebuking FBR, Pakistan’s courts take a stand for public health

The system, if implemented effectively, will allow Pakistans revenue service to combat the illicit trade in tobacco products and potentially add hundreds of millions of dollars to the states budget each year. ...

Videos

Latest News

Activision delays release of Modern Warfare, Warzone

Activision announced that the new seasons of Modern Warfare, Warzone and Call of Duty Mobile have been delayed to unspecified dates. The company announced its decision on social media, noting that now is not the time for the launches in the...

California court hears appeal of $289 mln verdict against Bayer in first Roundup cancer trial

A California appeals court on Tuesday heard arguments in the first case that went to trial over allegations that Bayer AGs glyphosate-based weed killer Roundup causes cancer, resulting in a 289 million judgment against the company.The Augus...

Donors promise Yemen $1.35 billion, falling short of U.N. target to save aid operations

International donors raised 1.35 billion in humanitarian aid for Yemen on Tuesday but the amount fell short of the United Nations target of 2.4 billion needed to save the worlds biggest aid operation from severe cutbacks. The conflict betwe...

PM, Trump hold telephonic talks; discuss Sino-India border row among other issues

The border standoff between India and China, the ongoing civil disturbances in the US and need for reforms in the WHO were among a host of issues that Prime Minister Narendra Modi and US President Donald Trump discussed during a telephonic ...

Give Feedback