Kaspersky: Cybercrime target Asian websites related to religion, voluntary programs, charity and several other areas with a watering hole campaign dubbed Holy Water
A watering hole campaign, dubbed Holy Water, is targeting users in Asia since May 2019. It has been discovered by Kaspersky cyber security experts. More than 10 websites related to religion, voluntary programs, charity and several other areas have been compromised to selectively trigger a download attack, resulting in a backdoor set up on the targets’ devices. Attackers use a creative toolset including GitHub distribution and use of open source code. A watering hole is a targeted attack strategy in which cybercrime compromise websites that are considered to be fertile ground for potential victims, and wait for the planted malware to end up on their computers. In order to be exposed to the malware, a user needs to simply visit a compromised website, which makes this type of attack easy to spread and thus more dangerous. Holy Water stands out due to its low-budget and undeveloped toolset, modified several times in a few months to leverage features like Google Drive C2. The attack as likely being the work of a small, agile team.
Cybercrime exploit also the Stitch malware, a modified version of the open-source Python backdoor
The visitor is then expected to fall into the update trap, and download a malicious installer package that will set up a backdoor named ‘Godlike12.’ This provides the threat actor with full remote access to the infected device enabling them to modify files, harvest confidential data, log activity and more. Another backdoor, a modified version of the open-source Python backdoor called Stitch, is also used in the attack. It provides classic backdoor functionalities by establishing a direct socket connection to exchange AES-encrypted data with the remote server. In Holy Water campaign, the fake Adobe Flash pop-up is linked to an executable file hosted on github.com under the guise of a Flash update file. GitHub disabled this repository on February 14 of this year after Kaspersky reported it to them, thus breaking the infection chain of the campaign.