On December 4, 2019, we discovered watering hole websites that were compromised to selectively trigger a drive-by download attack with fake Adobe Flash update warnings. This campaign has been active since at least May 2019, and targets an Asian religious and ethnic group.
The threat actor’s unsophisticated but creative toolset has been evolving a lot since the inception date, may still be in development, and leverages Sojson obfuscation, NSIS installer, Python, open-source code, GitHub distribution, Go language, as well as Google Drive-based C2 channels.
The threat actor’s operational target is not clear because, unfortunately, we haven’t been able to observe many live operations, and we couldn’t identify any overlap with known intrusion sets.
Thou shalt update plugins: attack synopsis
The watering holes have been set-up on websites that belong to personalities, public bodies, charities and organizations of the targeted group. At the time of writing, some of these websites (all hosted on the same server) are still compromised, and continue to direct selected visitors to malicious payloads:
Domain
Description
*****corps.org
Voluntary service program
*****ct.org
Religious personality’s charity
*****policy.net
Policy institute
*****che.com
Religious personality
*****parliament.org
Public body
*****ialwork.org
Charity
*****nature.net
Environmental conservation network
*****airtrade.com
Fair trade organization
Upon visiting one of the watering hole websites, a previously compromised but legitimately embedded resource will load a malicious JavaScript. It’s hosted by one of the water-holed websites, and gathers information on the visitor. An external server (see Fig. 1) then ascertains whether the visitor is a target.
Fig. 1. Target validation service request.
If the visitor is validated as a target, ..
Support the originator by clicking the read the rest link below.
