Researchers Uncover Unsophisticated - But Creative

Researchers Uncover Unsophisticated - But Creative - Watering-Hole Attack

Holy Water campaign is targeting users of a specific religious and ethnic group in Asia, Kaspersky says.

A new malware distribution campaign targeted at users in Asian countries is the latest reminder of why attacks dont always have to be sophisticated to be effective.
The campaign involves the use of watering-hole websites to drop malware on systems belonging to members of a certain Asian religious and ethnic group. The watering holes have been established on more than 10 websites belonging to individuals, voluntary programs, charities, and other organizations related to the targeted religious group. All that users need to do to for malware to be downloaded on their systems is to simply visit the compromised websites.
Researchers from Kaspersky first spotted the campaign last December and have named it Holy Water. In an advisory this week, the security vendor described the campaign as ongoing and involving the use of an unsophisticated but creative toolset that includes open source code, GitHub distribution, and the use of Go language and Google Drive-based command and communication channels.
According to Kaspersky, when a visitor lands on one of the watering holes, an already compromised component on it loads a malicious JavaScript that harvest information about the visitors system and sends it off to an external attacker-controlled server. The external server vets the system information to determine whether the user is of potential interest.
If the user is identified as being of interest, another JavaScript loads a plugin that in turn triggers a pop-up urging the user to update their Adobe Flash software. Users who click on the pop-up end up having a backdoor called Godlike12 installed on their systems. The malware allows the threat actor to take complete remote control of the infected device to steal sensitive data, modify files, gather logs, and conduct other malicious activity,
Kaspersky said
.
The threat group behind the campaign has also been using a second, modified version of an open source Python backdoor named Stitch in the attacks. This backdoor provides the attackers a way to exchange encrypted information with the command-and-control server, the security vendor said in its alert.
Ivan Kwiatkowski, senior security researcher at Kaspersky, says the motive for the Holy Water campaign remains unclear. But it is almost certainly not financially motivated. Based on the extreme focus of this campaign, we assert that their objective was to gather intelligence on the target population, he says.
Creative Tactics
What makes the campaign different is how creative the attackers have been in their choice of tools, Kwiatkowski says. The Holy Water campaign has been leveraging free, third-party services instead of a proper infrastructure and made use of modified open source backdoors in its early phases.
To us, this indicates that the attackers had to work with limited funding but were able to find ways to conduct their operations anyway, he says.
None of the tools that Kaspersky found the group using contain any state-of-the-art features. But it is obvious that the group behind this campaign was able to achieve operational efficiency in a short time span, he says.
Kwiatkowski says Kaspersky has not been able to determine how the attackers initially compromised the websites that are being used as watering holes and planted malware on them. It is likely, though, that they exploited some software vulnerability. All of the water-holed websites that Kaspersky discovered were running WordPress, and a few of them were also hosted on the same IP address, he says.
Kaspersky has also not been able to confirm what information exactly the attackers are looking for in order to determine whether a visitor to one of the watering-hole websites is of interest to them. But based on the system information that is sent to the remote server, it appears the attackers are choosing their victims based on where they are located geographically.
The Holy Water campaign is a reminder why website administrators should keep their software stack up-to-date and have controls for detecting traces of compromise on their machines. In the case of water-holing attacks, we recommend that measures are taken to detect any unplanned modification to the websites pages, Kwiatkowski says.
Websites that support at-risk communities need to pay attention to such campaigns as well, he adds. [Such sites] are liable to be targeted as well because they are, in a way, access vectors to potential victims. Kwiatkowski says.
Related Content:
Attackers Distributing Malware Under Guise of Security Certificate Updates
Social Media Platforms Double as Major Malware Distribution Centers
Most Cyberattacks in 2019 Were Waged Without Malware
8 Legit Tools and Utilities That Cybercriminals Commonly Misuse
Check out
The Edge
, Dark Readings new section for features, threat data, and in-depth perspectives. Todays featured story:
Untangling Third-Party Risk (and Fourth, and Fifth...).

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Researchers Uncover Unsophisticated - But Creative - Watering-Hole Attack