With many malicious websites, a user typically needs to click on a link to set off a chain of events that could then lead to a malware infection. But in some cases, all you have to do is visit a particular site to trigger a possible malware attack. That’s true with a series of sites discovered by security provider Kaspersky last December. In a report published Tuesday, Kaspersky detailed the behavior of several watering hole websites established through a malware campaign dubbed Holy Water.
To set up a watering hole attack, cybercriminals observe or ascertain which sites are visited by particular groups of people and then compromise those sites with malware. In the case of Holy Water, affected websites are ones owned by personalities, public bodies, charities, and various organizations with the attackers targeting people in a specific Asian religious and ethnic group.
The fake Adobe Flash popup is linked to an executable file hosted on GitHub. After learning of the malware attack from Kaspersky, GitHub disabled the repository for the file, which at least stopped the infection aspect of the campaign. However, some of the affected websites, which are all hosted on the same server, are still compromised and can still lead targeted users to malware.
SEE: Malware Incident Response Plan (TechRepublic Premium)
Almost 10 websites have been compromised with at least dozens of implanted hosts, showing that the attackers have established a large but targeted type of watering hole campaign. The malicious tools used in the campaign appear to be low budget and not fully developed and have been modified several times over just a few months. That suggests a small and agile team behind the attack, according to Kaspersky.
Though Kaspersky hasn’t been able to observe this attack in the wild, the company doesn’t think the Godlike12 backdoor is widespread and is likely being used to perform reconnaissance and data-exfiltration.
“A watering hole is an interesting strategy that delivers results using targeted attacks on specific groups of people,” Ivan Kwiatkowski, Kaspersky senior security researcher, said in a press release. “We were not able to witness any live attacks and thus could not determine the operational target. However, this campaign once again demonstrates why online privacy needs to be actively protected. Privacy risks are especially high when we consider various social groups and minorities because there are always actors that are interested in finding out more about such groups.”