Holy Water campaign is targeting users of a specific religious and ethnic group in Asia, Kaspersky says.

4 Min Read

A new malware distribution campaign targeted at users in Asian countries is the latest reminder of why attacks don't always have to be sophisticated to be effective.

The campaign involves the use of watering-hole websites to drop malware on systems belonging to members of a certain Asian religious and ethnic group. The watering holes have been established on more than 10 websites belonging to individuals, voluntary programs, charities, and other organizations related to the targeted religious group. All that users need to do to for malware to be downloaded on their systems is to simply visit the compromised websites.

Researchers from Kaspersky first spotted the campaign last December and have named it "Holy Water." In an advisory this week, the security vendor described the campaign as ongoing and involving the use of an unsophisticated but creative toolset that includes open source code, GitHub distribution, and the use of Go language and Google Drive-based command and communication channels.

According to Kaspersky, when a visitor lands on one of the watering holes, an already compromised component on it loads a malicious JavaScript that harvest information about the visitor's system and sends it off to an external attacker-controlled server. The external server vets the system information to determine whether the user is of potential interest.

If the user is identified as being of interest, another JavaScript loads a plugin that in turn triggers a pop-up urging the user to update their Adobe Flash software. Users who click on the pop-up end up having a backdoor called "Godlike12" installed on their systems. The malware allows the threat actor to take complete remote control of the infected device to steal sensitive data, modify files, gather logs, and conduct other malicious activity, Kaspersky said.

The threat group behind the campaign has also been using a second, modified version of an open source Python backdoor named "Stitch" in the attacks. This backdoor provides the attackers a way to exchange encrypted information with the command-and-control server, the security vendor said in its alert.

Ivan Kwiatkowski, senior security researcher at Kaspersky, says the motive for the Holy Water campaign remains unclear. But it is almost certainly not financially motivated. "Based on the extreme focus of this campaign, we assert that their objective was to gather intelligence on the target population," he says.

Creative Tactics
What makes the campaign different is how creative the attackers have been in their choice of tools, Kwiatkowski says. The Holy Water campaign has been leveraging free, third-party services instead of a proper infrastructure and made use of modified open source backdoors in its early phases.

"To us, this indicates that the attackers had to work with limited funding but were able to find ways to conduct their operations anyway," he says.

None of the tools that Kaspersky found the group using contain any state-of-the-art features. "But it is obvious that the group behind this campaign was able to achieve operational efficiency in a short time span," he says.

Kwiatkowski says Kaspersky has not been able to determine how the attackers initially compromised the websites that are being used as watering holes and planted malware on them. It is likely, though, that they exploited some software vulnerability. All of the water-holed websites that Kaspersky discovered were running WordPress, and a few of them were also hosted on the same IP address, he says.

Kaspersky has also not been able to confirm what information exactly the attackers are looking for in order to determine whether a visitor to one of the watering-hole websites is of interest to them. But based on the system information that is sent to the remote server, it appears the attackers are choosing their victims based on where they are located geographically.

The Holy Water campaign is a reminder why website administrators should keep their software stack up-to-date and have controls for detecting traces of compromise on their machines. "In the case of water-holing attacks, we recommend that measures are taken to detect any unplanned modification to the website's pages," Kwiatkowski says.

Websites that support at-risk communities need to pay attention to such campaigns as well, he adds. "[Such sites] are liable to be targeted as well because they are, in a way, access vectors to potential victims." Kwiatkowski says.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Untangling Third-Party Risk (and Fourth, and Fifth...)."

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights