Holy Water APT
The Asian region is full of Advanced Persistent Threat (APT) actors operating in different regions and targeting different sectors. Malware researchers release reports on APT actors' activities based in China, India, Iran, Iraq, North Korea, and other countries that are represented in the cyber-crime field regularly. One of the newly identified and categorized APT actor is the so-called Holy Water AP Its specialty appears to be 'watering hole' attacks that allow them to deliver payloads via websites that are believed to be reliable. In December 2019, the Water Hole APT executed a large-scale watering hole attack that delivered threatening software via a bogus Adobe Flash Player updater – the campaign in question focused on specific religious and ethnic groups in the Asia region.
The Holy Water APT Small Arsenal Consists of the Godlike12 and Stitch Backdoor Trojans
The Holy Water APT employs various tools in its attacks, but there are two more notable samples that appear to be ever-present in this group's operations – the Godlike12 Backdoor implant, and a modified version of the Stitch Backdoor Trojan. The latter is an open-source Python project whose author states that it is meant to be used for educational purposes explicitly. Unfortunately, opportunistic cybercriminals like the Holy Water APT members do not hesitate to hijack such projects and modify them according to their needs. The Godlike12 Backdoor, on the other hand, appears to be a custom-built Trojan developed using the Google Go programming language. It also employs the popular Google Drive service as a makeshift Command-and-Control (C2) server via specially crafted pages.
The watering hole attack executed in December 2019 was carried out by fake updaters hosted on legitimate websites whose security has been compromised – according to a security report, the pages used by the Holy Water APT were related to various charities, religious personas, politics, environmental conservation and trading.
Holy Water APT is responsible for one of the more impressive watering hole attacks in the past decade. Unfortunately, it does not seem like the group's members are planning on retiring anytime soon. Cybersecurity experts continue to identify newly updated implants and newly created C2 pages.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.