Holy Water APT Description
Holy Water APT is the name given to a group of cybercriminals that conducted a series of water-hole type attacks against an Asian religious and ethnic group. The TTP (Tactics, Techniques and Procedures) of this particular attack couldn't be attributed to any of the already known ATP (Advanced Persistent Threat) actors, which led the researchers to the conclusion that this is a new cybercriminal group that displays characteristics of a small and flexible team of hackers.
To conduct a water-hole attack, the criminals target several websites that are visited by the designated targets frequently. The sites can belong to organizations, charities or influential individuals that belong to the targeted group. All of the websites compromised by Holy Water were hosted on the same server and included a religious personality, charity, voluntary service program, and a fair trade organization, among others.
The Attack Included Multiple Stages
The response from the server returns a true or false result, and if the value is true, the next stage of the attack is triggered; otherwise, nothing happens.
Holy Water APT's Arsenal of Malware Tools was Hosted on GitHub
If the user allows the fake Flash update to proceed, it connects to a no longer active GitHub repository located at github.com/AdobeFlash32/FlashUpdate. Four different sets of tools were stored on that location - an installer package, a backdoor malware named by the researchers Godlike12, and two versions of an open-source Python backdoor known as Stitch, that were modified by the hackers with expanded functionality. The update package is an NSIS installer that drops a legitimate Windows Flash Player installer and a stager tool that is used to load the actual payload. The Godlike12 backdoor is written in Go language and is used to implement a Google Drive channel to the Command and Control (C&C, C2) servers. As for the Stitch backdoor variants, in addition to the usual backdoor activities such as information and password collection, activity logging, file download, etc., the Holy Water group added the ability to download a legitimate Adobe Flash Installation program, to auto-update itself from ubntrooters.serveuser.com and achieve persistence by leveraging scheduled tasks.