Dangerous holy water

Attackers are infecting users’ computers with a backdoor posing as an Adobe Flash Player update.

At the end of 2019, our experts used the watering hole technique to uncover a targeted attack. Without deploying any sophisticated tricks or exploiting any vulnerabilities, the attackers infected user devices in Asia over a period of at least eight months. Based on the subject matter of the websites used to spread the malware, the attack was christened, yes, Holy Water. This is the second attack we have discovered in several months to use such tactics (see here for our researchers’ other find).

How did Holy Water infect user devices?

It appears that the attackers at some point compromised a server hosting Web pages belonging mainly to religious figures, public organizations, and charities. The cybercriminals embedded malicious scripts in the code of these pages, which were then used to carry out the attacks.

When users visited an infected page, the scripts used perfectly legitimate tools to collect data about them and forward it to a third-party server for validation. We don’t know how victims were selected, but in response to the information it received, if the target was promising, the server sent a command to continue the attack.

The next step involved a now-standard trick (in use for more than a decade): The user was prompted to update Adobe Flash Player, which was supposedly outdated and a security risk. If the victim consented, then instead of the promised update, the Godlike12 backdoor was downloaded to and installed on the computer.

The danger of Godlike12

The attack masterminds made active use of legitimate services, both for profiling victims and for storing the malicious code (the backdoor was cited on GitHub). It communicated with the C&C servers through Google Drive.

The backdoor placed an identifier in Google Drive storage and made regular calls to it to check for commands from the attackers. The results of executing such commands were also uploaded there. According to our experts, the attack’s purpose was reconnaissance and harvesting information from compromised devices.

For those interested in the technical details and the tools employed, see Securelist’s post on Holy Water, which also lists the indicators of compromise.

How to guard against it

So far, we have seen Holy Water only in Asia. However, the tools used in the campaign are quite simple and can be deployed elsewhere easily. Therefore, we recommend that all users take these recommendations seriously, regardless of their location.

We can’t say whether the attack is directed against certain individuals or organizations. But one thing is certain: Anyone can visit the infected sites from both home and work devices. Therefore, our core advice is to protect any device with Internet access. We offer security solutions for both personal and corporate computers. Our products detect and block all of the tools and techniques Holy Water’s creators use.