With many malicious websites, a user typically needs to click on a link to set off a chain of events that could then lead to a malware infection. But in some cases, all you have to do is visit a particular site to trigger a possible malware attack. That’s true with a series of sites discovered by security provider Kaspersky last December. In a report published Tuesday, Kaspersky detailed the behavior of several watering hole websites established through a malware campaign dubbed Holy Water.

To set up a watering hole attack, cybercriminals observe or ascertain which sites are visited by particular groups of people and then compromise those sites with malware. In the case of Holy Water, affected websites are ones owned by personalities, public bodies, charities, and various organizations with the attackers targeting people in a specific Asian religious and ethnic group.

Here’s how this particular campaign works, according to Kaspersky. When a user visits a compromised site, a piece of malicious JavaScript automatically loads to determine if this person is a potential target. If so, a second JavaScript piece loads a plugin that launches a fake Adobe Flash update popup window. Accepting the update downloads a malicious installer that sets up a backdoor named Godlike12. This exploit gives the attacker full remote access to the infected computer where they can change files and steal confidential information.

Warning generated by the Holy Water watering hole campaign.
Image: Kaspersky

The fake Adobe Flash popup is linked to an executable file hosted on GitHub. After learning of the malware attack from Kaspersky, GitHub disabled the repository for the file, which at least stopped the infection aspect of the campaign. However, some of the affected websites, which are all hosted on the same server, are still compromised and can still lead targeted users to malware.

SEE: Malware Incident Response Plan (TechRepublic Premium)

Almost 10 websites have been compromised with at least dozens of implanted hosts, showing that the attackers have established a large but targeted type of watering hole campaign. The malicious tools used in the campaign appear to be low budget and not fully developed and have been modified several times over just a few months. That suggests a small and agile team behind the attack, according to Kaspersky.

Though Kaspersky hasn’t been able to observe this attack in the wild, the company doesn’t think the Godlike12 backdoor is widespread and is likely being used to perform reconnaissance and data-exfiltration.

“A watering hole is an interesting strategy that delivers results using targeted attacks on specific groups of people,” Ivan Kwiatkowski, Kaspersky senior security researcher, said in a press release. “We were not able to witness any live attacks and thus could not determine the operational target. However, this campaign once again demonstrates why online privacy needs to be actively protected. Privacy risks are especially high when we consider various social groups and minorities because there are always actors that are interested in finding out more about such groups.”


Image: Getty Images/iStockphoto