Holy water: ongoing targeted water-holing attack in Asia

[harlan4096]

On December 4, 2019, we discovered watering hole websites that were compromised to selectively trigger a drive-by download attack with fake Adobe Flash update warnings. This campaign has been active since at least May 2019, and targets an Asian religious and ethnic group.

The threat actor’s unsophisticated but creative toolset has been evolving a lot since the inception date, may still be in development, and leverages Sojson obfuscation, NSIS installer, Python, open-source code, GitHub distribution, Go language, as well as Google Drive-based C2 channels.

The threat actor’s operational target is not clear because, unfortunately, we haven’t been able to observe many live operations, and we couldn’t identify any overlap with known intrusion sets.

Thou shalt update plugins: attack synopsis

The watering holes have been set-up on websites that belong to personalities, public bodies, charities and organizations of the targeted group. At the time of writing, some of these websites (all hosted on the same server) are still compromised, and continue to direct selected visitors to malicious payloads:

Domain / Description
*****corps.org Voluntary service program
*****ct.org Religious personality’s charity
*****policy.net Policy institute
*****che.com Religious personality
*****parliament.org Public body
*****ialwork.org Charity
*****nature.net Environmental conservation network
*****airtrade.com Fair trade organization

Upon visiting one of the watering hole websites, a previously compromised but legitimately embedded resource will load a malicious JavaScript. It’s hosted by one of the water-holed websites, and gathers information on the visitor. An external server (see Fig. 1) then ascertains whether the visitor is a target.

If the visitor is validated as a target, the first JavaScript stage will load a second one, which in turn will trigger the drive-by download attack, showing a fake update pop-up.

The visitor is then expected to fall into the update trap, and download a malicious installer package that will set up a backdoor.

For nothing is hidden that will not come to light: technical analysis

1st JavaScript stage

The first JavaScript stage is named (script|jquery)-css.js, and is obfuscated with the Chinese-language web service Sojson, version 4

The payload leverages the RTCPeerConnection API and ipify service to fingerprint visitors. The gathered data is sent to loginwebmailnic.dynssl[.]com through HTTP GET requests, in order to validate the visitor as a target.

The JSON-formatted response, whose only key is “result”, can either be “t” or “f” (true or false). If the value is “f”, then nothing happens, while “t” will trigger the second JavaScript stage.

In a previous version of this first JavaScript script, an additional JavaScript payload was unconditionally loaded during the first stage, and proceeded with another branch of visitor validation and the second stage.

This other branch loaded scripts from root20system20macosxdriver.serveusers[.]com, and leveraged https://loginwebmailnic.dynssl[.]com/part/mac/contentmc.php URL to validate targets. The host and validation page names suggest this other branch may have been specifically targeting MacOS users, but we were unable to confirm this hypothesis.
...

Continue Reading