• The campaign was targeting users of a specific religious and ethnic group in Asia.
  • Attackers compromised about 10 websites and employed a multi-stage, targeted effort to fingerprint and compromise victims.

Researchers disclosed a new malware distribution campaign that involves the use of watering-hole websites and targets a certain religious and ethnic group from Asian countries.

What happened?
First spotted running a campaign last December, the hacker group was named "Holy Water" by the researchers.

  • The watering holes have been established on more than 10 websites so far.
  • These sites belong to individuals, voluntary programs, charities, and other organizations related to the targeted religious group.
  • The attackers reportedly work under limited funding. They creatively leveraged free, third-party services instead of proper infrastructure and made use of modified open-source backdoors in its early phases.

How does it work?
In this campaign, hackers used an unsophisticated but creative toolset that includes open-source code, GitHub distribution and the use of Go language and Google Drive-based C&C channels.

  • As soon as a user lands on one of the watering holes, an already compromised component on it loads a malicious JavaScript.
  • The script helps collect the information on the user’s system via an external attacker-controlled server.
  • The external server analyzes the compromised system and determines whether the user is of potential interest.
  • When there’s a match, another JavaScript loads a plugin that generates a request, as a pop-up, for the users to update their Adobe Flash software.
  • Users clicking on it end up laying a red carpet inviting a backdoor called "Godlike12."

What are the malware’s capabilities?
Hackers can gain a foothold over the infected devices remotely. 

  • The malware allows the threat actor to steal sensitive data, modify files on the system, gather user logs, and more.
  • The threat group also used another modified version of an open-source Python backdoor dubbed "Stitch" in the attacks. It could enable the exchange of encrypted information with the C&C server.

A spokesperson from the research firm said, though the campaign is not financially motivated, the motive of targeting a particular religious and ethnic group is obscure. "Based on the extreme focus of this campaign, we assert that their objective was to gather intelligence on the target population," he says.

Final thoughts
Researchers have not been able to learn how the attackers infiltrated the websites and how they planted malware on them. It is possible that the attackers came to know of existing vulnerabilities that they could exploit. It was also discovered that all the water-holed websites were running WordPress, while some of those were hosted on the same IP address.

Further, the Holy Water campaign is essentially a note to website administrators as they must keep their software stack up-to-date and have sufficient controls for tracing and recovering any compromised systems.
Cyware Publisher