skip to Main Content

Cybercrime, Holy Water is targeting Asia since May 2019

Cybercrime, Holy Water Is Targeting Asia Since May 2019

Kaspersky: Cybercrime target Asian websites related to religion, voluntary programs, charity and several other areas with a watering hole campaign dubbed Holy Water 

A watering hole campaign, dubbed Holy Water, is targeting users in Asia since May 2019. It has been discovered by Kaspersky cyber security experts. More than 10 websites related to religion, voluntary programs, charity and several other areas have been compromised to selectively trigger a download attack, resulting in a backdoor set up on the targets’ devices. Attackers use a creative toolset including GitHub distribution and use of open source code. A watering hole is a targeted attack strategy in which cybercrime compromise websites that are considered to be fertile ground for potential victims, and wait for the planted malware to end up on their computers. In order to be exposed to the malware, a user needs to simply visit a compromised website, which makes this type of attack easy to spread and thus more dangerous. Holy Water stands out due to its low-budget and undeveloped toolset, modified several times in a few months to leverage features like Google Drive C2. The attack as likely being the work of a small, agile team.

The cyber security experts: Water holes have been set up on websites that belong to personalities, public bodies, charities and various organizations. Two malicious JavaScript have been used to choose and attack the targets

According to the cyber security experts, in the Holy Water cybercrime campaign, water holes have been set up on websites that belong to personalities, public bodies, charities and various organizations. This particular multi-stage waterhole attack is unsophisticated, yet creative and distinct due to its fast evolution since its inception date, as well as the wide range of tools used. Upon visiting one of the water hole websites, a previously compromised resource will load an obscured malicious JavaScript, which gathers information about the visitor. An external server then determines whether the visitor is a target. If the visitor is validated as a target, the second JavaScript stage will load a plugin, which in turn triggers a download attack showing a fake Adobe Flash update pop-up. 

Cybercrime exploit also the Stitch malware, a modified version of the open-source Python backdoor

The visitor is then expected to fall into the update trap, and download a malicious installer package that will set up a backdoor named ‘Godlike12.’ This provides the threat actor with full remote access to the infected device enabling them to modify files, harvest confidential data, log activity and more. Another backdoor, a modified version of the open-source Python backdoor called Stitch, is also used in the attack. It provides classic backdoor functionalities by establishing a direct socket connection to exchange AES-encrypted data with the remote server. In Holy Water campaign, the fake Adobe Flash pop-up is linked to an executable file hosted on github.com under the guise of a Flash update file. GitHub disabled this repository on February 14 of this year after Kaspersky reported it to them, thus breaking the infection chain of the campaign.

Back To Top