Holy Water APT

Holy Water APT is the name given to a group of cybercriminals that conducted a series of water-hole type attacks against an Asian religious and ethnic group. The TTP (Tactics, Techniques and Procedures) of this particular attack couldn't be attributed to any of the already known ATP (Advanced Persistent Threat) actors, which led the researchers to the conclusion that this is a new cybercriminal group that displays characteristics of a small and flexible team of hackers.

To conduct a water-hole attack, the criminals target several websites that are visited by the designated targets frequently. The sites can belong to organizations, charities or influential individuals that belong to the targeted group. All of the websites compromised by Holy Water were hosted on the same server and included a religious personality, charity, voluntary service program, and a fair trade organization, among others.

The Attack Included Multiple Stages

Upon visiting a compromised website, the user enters into the first attack stage that consists of a corrupted JavaScript named (script|jquery)-css.js and obfuscated with Sojson, a Chinese-based Web service. This script's role is to determine if the user is a valid target and to do so the payload starts scraping data on the visitor and sending it to an external server at loginwebmailnic.dynssl[.]com through HTTP GET requests: 

https://loginwebmailnic.dynssl[.]com/all/content.php?jsoncallback=&lanip=&wanip=&urlpath=&_= 

The response from the server returns a true or false result, and if the value is true, the next stage of the attack is triggered; otherwise, nothing happens.

During the second step, a JavaScript named (script|jquery)-file.js, which is, once again, obfuscated in the same manner. However, this time the hackers used Sojson v5 instead of v4. To infect the user, the Holy Water APT does not exploit any software vulnerabilities or weaknesses. Instead, a pop-up window offering a Flash player update is generated and the potential victim has to agree to download the file. 

Holy Water APT's Arsenal of Malware Tools was Hosted on GitHub

If the user allows the fake Flash update to proceed, it connects to a no longer active GitHub repository located at github.com/AdobeFlash32/FlashUpdate. Four different sets of tools were stored on that location - an installer package, a backdoor malware named by the researchers Godlike12, and two versions of an open-source Python backdoor known as Stitch, that were modified by the hackers with expanded functionality. The update package is an NSIS installer that drops a legitimate Windows Flash Player installer and a stager tool that is used to load the actual payload. The Godlike12 backdoor is written in Go language and is used to implement a Google Drive channel to the Command and Control (C&C, C2) servers. As for the Stitch backdoor variants, in addition to the usual backdoor activities such as information and password collection, activity logging, file download, etc., the Holy Water group added the ability to download a legitimate Adobe Flash Installation program, to auto-update itself from ubntrooters.serveuser.com and achieve persistence by leveraging scheduled tasks.