Business Standard

Holy Water: A creative water-holing attack discovered by Kaspersky

Image

ANI Internet

Kaspersky researchers have discovered a watering-hole campaign targeting users in Asia since May 2019.

More than 10 websites related to religion, voluntary programs, charity, and several other areas were compromised to selectively trigger a drive-by download attack resulting in a backdoor set up on the targets' devices.

Attackers used a creative toolset, which included GitHub distribution and the use of open-source code.

A watering hole is a targeted attack strategy in which cyber criminals compromise websites that are considered to be fertile ground for potential victims and wait for the planted malware to end up on their computers. In order to be exposed to malware, a user needs to simply visit a compromised website, which makes this type of attack easy to spread and thus more dangerous.

 

In the campaign named by Kaspersky researchers as Holy Water, water-holes have been set-up on websites that belong to personalities, public bodies, charities, and various organizations.

This multi-stage waterhole attack with an unsophisticated but creative toolset is distinctive due to its fast evolution since its inception date, as well as the wide range of tools used.

Upon visiting one of the water-holing websites, a previously compromised resource will load an obfuscated malicious JavaScript, which gathers information about the visitor.

An external server then ascertains whether the visitor is a target. If the visitor is validated as a target, the second JavaScript stage will load a plugin, which in turn will trigger a download attack, showing a fake Adobe Flash update pop-up.

The visitor is then expected to be lured into the update trap, and download a malicious installer package that will set up a backdoor named 'Godlike12', thus providing the threat actor with full remote access to the infected device, enabling them to modify files, harvest confidential data from the computer, log activity on the computer and more.

Another backdoor, a modified version of the open-source Python backdoor called Stitch, was also used in the attack. It provided classic backdoor functionalities by establishing a direct socket connection to exchange AES-encrypted data with the remote server.

The fake Adobe Flash pop-up was linked to an executable file hosted on github.com under the guise of a Flash update file. GitHub disabled this repository on the 14th of February 2020 after Kaspersky reported it to them, thus breaking the infection chain of the campaign.

The repository has, however, been online for more than 9 months, and thanks to GitHub's commit history, the researchers were able to gain unique insight on the attacker's activity and tools.

This campaign stands out due to its low-budget and not fully developed toolset, which has been modified several times in a few months to leverage interesting features like Google Drive C2. Kaspersky characterizes the attack as likely being the work of a small, agile team.

"Watering hole is an interesting strategy that delivers results using targeted attacks on specific groups of people. We were not able to witness any live attacks and thus could not determine the operational target," said Kaspersky senior security researcher, Ivan Kwiatkowski.

"However, this campaign once again demonstrates why online privacy needs to be actively protected. Privacy risks are especially high when we consider various social groups and minorities because there are always actors that are interested in finding out more about such groups."

Kaspersky recommends following a series of steps to avoid falling victim to targeted attacks on organizations or persons.

According to the organization, people should not update nor install Adobe Flash Player, as the product is no longer supported and most likely, the update disguises something malicious. In case it has been installed, Kaspersky recommends removing it as the technology is now obsolete.

VPN must be used to hide the person's association with a specific group by masking the real IP address and hiding the real location you are at.

Kaspersky suggests that people choose a proven security solution such as Kaspersky Security Cloud for effective personal protection against known and unknown threats.

The Security Operations Center (SOC) team must be provided with access to the latest threat intelligence, and to stay up to date with new and emerging tools, techniques and tactics used by threat actors and cybercriminals.

For endpoint level detection, investigation and timely remediation of incidents, implementation of EDR solutions such as Kaspersky Endpoint Detection and Response are advised.

In addition to adopting essential endpoint protection, implementing a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform is also advised.

Disclaimer: No Business Standard Journalist was involved in creation of this content

Don't miss the most important news and views of the day. Get them on our Telegram channel

First Published: Apr 01 2020 | 12:49 PM IST

Explore News