Only last week, Kaspersky Lab experts talked about a large-scale watering hole campaign aimed at residents of Hong Kong, during which multifunctional malware for iOS called LightSpy was installed on victims' smartphones.
Such attacks are called by analogy with the tactics of predators who hunt at a watering hole, waiting for prey – animals that came to get drunk. That is, attackers place the malware on some resources that visit the victims they intended.
Now, researchers at Kaspersky Lab revealed another similar campaign, dubbed Holy Water and also directed against Asian users.
So far, experts have found it difficult to determine whether this campaign was directed against specific people or organizations. Given the topics of infected sites, it is logical to assume that they could be visited both from home devices and from workers.
When a user visited an infected page, scripts using completely legitimate tools collected data about it and sent it to a third-party server to validate the target. It is not known what the attackers were guided in choosing the victim, however, in response to the information sent, the server sometimes sent a command to continue the attack.
Then the criminals used the classic trick, which has been used for more than a dozen years: the user was offered to update Adobe Flash Player. And the argument was the insecurity of using an outdated version. If the victim agreed, instead of updating, a Godlike12 backdoor was installed on her computer.
Researchers emphasize that attackers actively used legitimate services in their campaign. For example, the backdoor was posted on the Github website. Currently, GitHub has already disabled this repository (February 14, after receiving a message from experts), but it has been active for about nine months.
In turn, the backdoor communicates with the management servers through Google Drive. In this service, he posted the identifier and regularly turned to him to check if commands were received from the operators. There he also uploaded the results of the execution of commands.
According to experts, the main tasks of attackers came down to reconnaissance and downloading information from a compromised device.