{"id":16266,"date":"2020-03-31T09:23:27","date_gmt":"2020-03-31T13:23:27","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/holy-water-apt\/16266\/"},"modified":"2020-04-03T13:43:58","modified_gmt":"2020-04-03T09:43:58","slug":"holy-water-apt","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/holy-water-apt\/16266\/","title":{"rendered":"Dangerous holy water"},"content":{"rendered":"<p>At the end of 2019, our experts used the <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/watering-hole\/?utm_source=kdaily&amp;utm_medium=blog&amp;utm_campaign=termin-explanation\" target=\"_blank\" rel=\"noopener\">watering hole<\/a> technique to uncover a targeted attack. Without deploying any sophisticated tricks or exploiting any vulnerabilities, the attackers infected user devices in Asia over a period of at least eight months. Based on the subject matter of the websites used to spread the malware, the attack was christened, yes, Holy Water. This is the second attack we have discovered in several months to use such tactics (see <a href=\"https:\/\/www.kaspersky.com\/blog\/lightspy-watering-hole-attack\/34501\/\" target=\"_blank\" rel=\"noopener nofollow\">here<\/a> for our researchers\u2019 other find).<\/p>\n<h2>How did Holy Water infect user devices?<\/h2>\n<p>It appears that the attackers at some point compromised a server hosting Web pages belonging mainly to religious figures, public organizations, and charities. The cybercriminals embedded malicious scripts in the code of these pages, which were then used to carry out the attacks.<\/p>\n<p>When users visited an infected page, the scripts used perfectly legitimate tools to collect data about them and forward it to a third-party server for validation. We don\u2019t know how victims were selected, but in response to the information it received, if the target was promising, the server sent a command to continue the attack.<\/p>\n<p>The next step involved a now-standard trick (in use for more than a decade): The user was prompted to update Adobe Flash Player, which was supposedly outdated and a security risk. If the victim consented, then instead of the promised update, the Godlike12 backdoor was downloaded to and installed on the computer.<\/p>\n<h2>The danger of Godlike12<\/h2>\n<p>The attack masterminds made active use of legitimate services, both for profiling victims and for storing the malicious code (the backdoor was cited on GitHub). It communicated with the C&amp;C servers through Google Drive.<\/p>\n<p>The backdoor placed an identifier in Google Drive storage and made regular calls to it to check for commands from the attackers. The results of executing such commands were also uploaded there. According to our experts, the attack\u2019s purpose was reconnaissance and harvesting information from compromised devices.<\/p>\n<p>For those interested in the technical details and the tools employed, see <a href=\"https:\/\/securelist.com\/holy-water-ongoing-targeted-water-holing-attack-in-asia\/96311\/\" target=\"_blank\" rel=\"noopener\">Securelist\u2019s post on Holy Water<\/a>, which also lists the indicators of compromise.<\/p>\n<h2>How to guard against it<\/h2>\n<p>So far, we have seen Holy Water only in Asia. However, the tools used in the campaign are quite simple and can be deployed elsewhere easily. Therefore, we recommend that all users take these recommendations seriously, regardless of their location.<\/p>\n<p>We can\u2019t say whether the attack is directed against certain individuals or organizations. But one thing is certain: Anyone can visit the infected sites from both home and work devices. Therefore, our core advice is to protect any device with Internet access. We offer security solutions for both <a href=\"https:\/\/me-en.kaspersky.com\/premium?icid=me-en_bb2022-kdplacehd_acq_ona_smm__onl_b2c_kdaily_lnk_sm-team___kprem___\" target=\"_blank\" rel=\"noopener\">personal<\/a> and <a href=\"https:\/\/me-en.kaspersky.com\/small-to-medium-business-security?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">corporate<\/a> computers. Our products detect and block all of the tools and techniques Holy Water\u2019s creators use.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kesb-trial\">\n","protected":false},"excerpt":{"rendered":"<p>Attackers are infecting users\u2019 computers with a backdoor posing as an Adobe Flash Player update.<\/p>\n","protected":false},"author":700,"featured_media":16267,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1916,5,1917,1486],"tags":[477,2268,2184],"class_list":{"0":"post-16266","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-news","10":"category-smb","11":"category-threats","12":"tag-apt","13":"tag-targeted-attack","14":"tag-watering-hole"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/holy-water-apt\/16266\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/holy-water-apt\/19986\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/holy-water-apt\/21323\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/holy-water-apt\/19567\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/holy-water-apt\/18311\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/holy-water-apt\/22296\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/holy-water-apt\/21203\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/holy-water-apt\/27912\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/holy-water-apt\/8032\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/holy-water-apt\/34552\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/holy-water-apt\/14564\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/holy-water-apt\/14665\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/holy-water-apt\/13254\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/holy-water-apt\/23551\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/holy-water-apt\/25238\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/holy-water-apt\/21959\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/holy-water-apt\/27182\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/holy-water-apt\/27020\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/apt\/","name":"APT"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/16266","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/700"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=16266"}],"version-history":[{"count":1,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/16266\/revisions"}],"predecessor-version":[{"id":16286,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/16266\/revisions\/16286"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/16267"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=16266"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=16266"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=16266"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}