On December 4, 2019, Kaspersky experts discovered a watering hole attack, tracked Holy Water, aimed at an Asian religious and ethnic group. The campaign has been active since at least May 2019 and hit delivered fake Adobe Flash update warnings to the victims.
The experts believe that threat actors have been evolving, they were observed employing Sojson obfuscation, NSIS installer, Python, open-source code, GitHub distribution, Go language, as well as Google Drive-based C2 channels in their campaigns.
At the time it
“The watering holes have been set-up on websites that belong to personalities, public bodies, charities and organizations of the targeted group. At the time of writing, some of these websites (all hosted on the same server) are still compromised, and continue to direct selected visitors to malicious payloads.” reads the analysis published by Kaspersky Lab.
The visitor is then tricked into installing the fake update that hides a malicious installer package that will set up a backdoor.
Attackers used GitHub as the repository for the malicious
The repository has been online for more than nine months, GitHub provided the commit history, allowing the experts to gain a unique insight into the attacker’s activity and tools.
Experts found four executable hosted in the repository, an installer package, embedding a decoy legitimate Flash update and a stager, the Godlike12 Go backdoor that implements a Google Drive based C2 channel, and two versions of the open-source Stitch Python backdoor that were customized by the attackers.
“Digging into the repository for older commits, we also discovered a previous fake update
Experts noticed that attackers used a low-budget
“With almost 10 compromised websites and dozens of implanted hosts (that we know of), the attackers have set up a sizable yet very targeted water-holing attack. The toolset that’s being used seems low-budget and not fully developed, but has been modified several times in a few months to leverage interesting features like Google Drive C2, and would be characteristic of a small, agile team.” concludes Kaspersky.
“We were unable to observe any live operations, but some tracks indicate that the Godlike12 backdoor is not widespread, and is probably used to conduct reconnaissance and data-exfiltration operations. We were unable to correlate these attacks to any known APT groups.”
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.