ESET researchers have discovered strategic web compromise (aka watering hole) attacks against high‑profile websites in the Middle East
Our curiosity was aroused by the nature of the targeted website and in the following weeks we noticed that other websites with connections to the Middle East started to be targeted. We traced the start of the campaign back to March 2020, when the piwiks[.]com domain was re-registered. We believe that the strategic web compromises only started in April 2020 when the website of the Middle East Eye (middleeasteye.net), a London-based digital news site covering the region, started to inject code from the piwiks[.]com domain.
At the end of July or the beginning of August 2020, all remaining compromised websites were cleaned; it is probable that the attackers themselves removed the malicious scripts from the compromised websites. The threat group went quiet until January 2021, when we observed a new wave of compromises. This second wave lasted until August 2021, when all websites were cleaned again. A few indicators from this second wave were shared on Twitter by a fellow researcher, which allows us to make a link with what Kaspersky tracks as Karkadann.
We detail the inner working of the compromises in the Technical analysis section, below, but it is worth noting that the final targets are specific visitors of those websites, who are likely to receive a browser exploit. The compromised websites are only used as a hop to reach the final targets.
We also uncovered interesting links with Candiru, detailed in the section Links between the watering holes, spearphishing documents and Candiru. Candiru is a private Israeli spyware firm that was recently added to the Entity List (entities subject to licensing restrictions) of the US Department of Commerce. This may prevent any US‑based organization from doing business with Candiru without first obtaining a license from the Department of Commerce.
At the time of writing, it seems that the operators are taking a pause, probably in order to retool and make their campaign stealthier. We expect to see them back in the ensuing months.
Our tracking shows that the operators are mostly interested in the Middle East, with a particular emphasis on Yemen. Table 1 shows the known targets in 2020 and 2021.
Table 1. Domains compromised during the first wave
|middleeasteye.net||piwiks[.]com||A UK-based online newspaper covering the Middle East.|
|piaggioaerospace.it||piwiks[.]com||An Italian aerospace company.|
|medica-tradefair[.]co||rebrandly[.]site||2020-07-09||2020-10-13||Fake website impersonating a German medical trade fair in Düsseldorf.|
|mfa.gov.ir||piwiks[.]com||2020-07-11||2020-07-13||Ministry of Foreign Affairs of Iran.|
|almanar.com.lb||rebrandly[.]site||2020-07-24||2020-07-30||Television channel linked to Hezbollah.|
|Ministry of Interior of Yemen.|
|Yemeni Television channel linked to the Ansar Allah movement (Houthis).|
|casi.gov.sy||hotjar[.]net||2021-02-01||Unknown||Central Authority for the Supervision and Inspection of Syria.|
|moe.gov.sy||hotjar[.]net||2021-02-01||Unknown||Syrian Ministry of Electricity.|
|Television channel linked to Hezbollah.|
|manartv.com.lb||webfx[.]bz||2021-02-03||2021-03-22||Television channel linked to Hezbollah.|
|mof.gov.ye||hotjar[.]net||2021-02-11||2021-07-14||Ministry of Finance of Yemen.|
|scs-net.org||hotjar[.]net||2021-03-07||Unknown||Internet Service Provider in Syria.|
|customs.gov.ye||livesesion[.]bid||2021-03-24||2021-06-16||Customs agency of Yemen.|
|A South African state-owned aerospace and military technology conglomerate.|
|yemen.net.ye||hotjar[.]net||2021-04-15||2021-08-04||Internet service provider in Yemen.|
|yemenparliament.gov.ye||hotjar[.]net||2021-04-20||2021-07-05||Parliament of Yemen.|
|yemenvision.gov.ye||hotjar[.]net||2021-04-21||2021-06-13||Yemeni government website.|
|mmy.ye||hotjar[.]net||2021-05-04||2021-08-19||Yemeni media linked to the Houthis.|
|thesaudireality.com||bootstrapcdn[.]net||2021-06-16||2021-07-23||Likely dissident media outlet in Saudi Arabia.|
|saba.ye||addthis[.]events||2021-06-18||Unknown||Yemeni news agency linked to Houthis. However, it seems it was taken over by the Southern Transitional Council in early June 2021, just before this website was compromised.|
medica-tradefair[.]co is the outlier in this list, as it was not compromised but was operated by the attackers themselves. It was hosted at ServerAstra, as were all the other C&C servers used in 2020.
As seen in Figure 2, the content doesn’t seem to have been modified. It is likely that attackers were not able to compromise the legitimate website and had to set up a fake one in order to inject their malicious code.
It is interesting to note that the malicious domains mimic genuine web analytics, URL shortener or content delivery network domains and URLs. This is a characteristic of this threat actor.
Technical analysis – Strategic web compromises
First wave – 2020
First stage – Injected script
In the cases of rebrandly[.]site injections, the additional scripts are loaded using HTML script tags, as seen in Figure 4.
Second stage – Fingerprinting script
reconnects.js and recon-api.js are almost identical; only the order of some lines or functions are changed. As shown in Figure 5, the malware authors tried to avoid raising suspicions by prepending their script with a copy of the jQuery Browser Plugin header. They were probably hoping that malware analysts would not scroll further.
The script first implements a function named geoip. It is automatically called by the GeoJS library, previously loaded, as mentioned on the official GeoJS website. The variable json contains the IP geolocation information. The script sends this JSON via an HTTP POST request to the C&C server at the URL https://rebrandly[.]site/reconnect-api.php. If the server returns an HTTP 200 status code, then the script proceeds to a function named main.
First, main gathers information such as the operating system version and the browser version using custom functions shown in Figure 6. They simply parse the browser User-Agent to extract information.
As shown in Figure 7, the function then checks whether the operating system is either Windows or macOS and only continues if so. This is interesting because it suggests that this operation is intended to compromise computers and not mobile devices such as smartphones. It also checks for a list of common web browsers: Chrome, Firefox, Opera, IE, Safari and Edge.
The script also encrypts a hardcoded value, 1122, although we don’t know for what purpose. Despite the function being named decrypt, it actually encrypts using RSA and the library JSEncrypt. The 1024-bit RSA key is hardcoded and set to:
—–BEGIN PUBLIC KEY—–
—–END PUBLIC KEY—–
Then, the script sends an HTTPS GET request to the C&C server rebrandly[.]site. The id parameter contains the fingerprint data and the last parameter value contains the country provided by the GeoJS library.
If the server returns a reply, it is decrypted using AES from the CryptoJS library, and a hardcoded key flcwsfjWCWEcoweijwf@#$@#$@#499299234@#$!@2. This key stayed the same, even after we tried a few requests.
The decrypted value is supposedly a URL and a new iframe pointing to this URL is created. We were unable to get any valid answer but we believe it leads to a browser remote code execution exploit that allows an attacker to take control of a machine.
Second wave – 2021
First stage – Injected script
In order to be a bit stealthier still, in this second wave, they started to modify scripts that were already on the compromised website. So instead of adding code to the main HTML page, they modified libraries such as wp-embed.min.js, as seen in Figure 8. They simply added a few lines at the end of https://www.smc.gov.ye/wp-includes/js/wp-embed.min.js to load a script from a server they control: https://visitortrack[.]net/sliders.js.
Another strategy used to limit their exposure is to create a cookie the first time the visitor executes the malicious script, as shown in Figure 9. As the script is conditionally injected depending on whether the cookie already exists, this will prevent further injections. This specific code was found on the website of the Syrian Central Authority for the [sic] Supervision and Inspection (casi.gov.sy).
From January to March 2021, for the second-stage script, the operators used a script based on the minAjax library. This is not a fingerprinting script per se as it doesn’t send any information about the browser or the operating system to the C&C server – an example is shown in Figure 10. It should be noted that very similar scripts are used by the LNKR adware, so a detection on this might lead to a high volume of false positives.
This script contains the current timestamp, t0, an expiration timestamp, ex, and two hashes juh and cs, whose significance we don’t know at present. These values are sent to the C&C server https://webfex[.]bz/f/gstats. If the reply is a JSON object and contains the fw key, the script issues a redirection to the URL contained in fw using parent.top.window.location.href. As with the first wave, we were not able to get any valid redirect.
In April 2021, this script was changed to FingerprintJS Pro. This is a commercial product whose developers have an official website shown in Figure 11.
As with the previous cases, we never got a valid redirect. We still believe it leads to a browser exploit and it shows that this campaign is highly targeted.
Spearphishing documents and links with Candiru
Reminder of the Citizen Lab publication
In the Citizen Lab Candiru blogpost, there is a section called A Saudi-Linked Cluster?. It mentions a spearphishing document that was uploaded to VirusTotal.
The C&C server used by this document is https://cuturl[.]space/lty7uw and VirusTotal captured a redirection from this URL to https://useproof[.]cc/1tUAE7A2Jn8WMmq/api. The domain useproof[.]cc was resolving to 109.70.236[.]107 and, according to the Citizen Lab, this server matched their so-called CF3 fingerprint for Candiru C&C servers. This domain was registered via Porkbun, as are most Candiru-owned domains.
Two domains resolving to the same IP address caught our attention:
The same second-level domains, with a different TLD, were used in the second wave of strategic web compromises. These two domains in the .cc TLD are most likely operated by Candiru too.
The Citizen Lab report mentions a few domains similar to cuturl[.]space, which we detail in Table 2.
Table 2. Domains similar to cuturl[.]space
|instagrarn[.]co||TLD Registrar Solutions||83.97.20[.]89||M247|
|cuturl[.]app||TLD Registrar Solutions||83.97.20[.]89||M247|
|url-tiny[.]co||TLD Registrar Solutions||83.97.20[.]89||M247|
These domain names mimic URL shorteners and the Instagram social media website and were registered through Njalla and TLD Registrar Solutions Ltd. This reminds us of the domains used for the strategic web compromises that are all variations of genuine web analytics websites and were also registered via Njalla.
We also independently confirmed that the servers to which these domains were resolving were configured in a similar fashion.
Thus, we believe that this set of websites is controlled by the same threat group that created the documents. Conversely, the domain useproof[.]cc is most likely operated in-house by Candiru and is used to deliver exploits.
Links between the watering holes, spearphishing documents and Candiru
Table 3 summarizes the characteristics of the watering holes, the documents found by Citizen Lab, and Candiru.
Table 3. Summary of links between the three clusters (watering holes, documents found by Citizen Lab and Candiru)
|Watering holes||Cluster of documents||Candiru|
|Registrars||Mainly Njalla||Njalla and TLD Registrar Solutions||Porkbun|
|Hosting providers||ServerAstra, Droptop, Neterra, Net Solutions, The Infrastructure Group, Sia Nano and FlokiNET||Droptop, M247 and Dotsi||M247, QuadraNet, etc.|
|Domain themes||Analytics and URL shortener services||URL shortener services||Analytics, URL shortener services, media outlets, tech companies, government contractors, etc.|
|Victimology||Middle East||Middle East||Middle East, Armenia, Albania, Russia, Uzbekistan, etc.|
|Targeted platforms||Windows and macOS||Windows||Windows and macOS|
|TTPs||Strategic web compromises||Malicious documents with Document_Open macros||Malicious documents and fake shortened URLs redirecting to exploits and the DevilsTongue implant.|
What is interesting to note is that the watering holes are limited to a quite narrow victimology. We also noted that domains known to be operated by Candiru (webfx[.]cc for example) are very similar to domains used for the watering holes (webfx[.]bz). However, they were not registered in the same fashion and their servers are configured very differently.
In July 2021, Google published a blogpost providing details on exploits used by Candiru. It includes CVE‑2021-21166 and CVE-2021-30551 for Chrome and CVE-2021-33742 for Internet Explorer. They are full remote code execution exploits that allow an attacker to take control of a machine by making the victim visit a specific URL that then delivers the exploit. This shows Candiru has the capabilities to exploit browsers in a watering hole attack.
Hence, we believe that the watering holes behave similarly to the documents. The first C&C server, injected in the compromised websites, would redirect to another C&C server, owned by a spyware firm such as Candiru and delivering a browser exploit.
Based on this information, we assess:
- with low confidence that the creators of the documents and the operators of the watering holes are the same.
- with medium confidence that the operators of the watering holes are customers of Candiru.
This report describes two strategic web compromise campaigns targeting high-profile organizations in the Middle East, with a strong focus on Yemen. We also revealed links to Candiru, a spyware firm, that sells state‑of‑the‑art offensive software tools and related services to government agencies.
We were unable to get an exploit and the final payload. This shows that the operators choose to narrow the focus of their operations and that they don’t want to burn their zero-day exploits.
We stopped seeing activity from this operation at the end of July 2021, shortly after the release of blogposts by the Citizen Lab, Google and Microsoft detailing the activities of Candiru.
A comprehensive list of Indicators of Compromise (IoCs) and samples can be found in our GitHub repository.
For any inquiries, or to make sample submissions related to the subject, contact us at email@example.com.
Indicators of Compromise
Legitimate, historically compromised websites
|Compromised website||From||To (treat as a lower bound)|
|Domain||IP||First seen||Last seen||Details|
|piwiks[.]com||91.219.236[.]38||Watering hole C&C server.|
|Watering hole C&C server.|
|medica-tradefair[.]co||18.104.22.168||2021-06-28||2021-10-20||Fake website impersonating a German medical conference.|
|site-improve[.]net||185.165.171[.]105||2021-01-06||2021-07-21||Watering hole C&C server.|
|visitortrack[.]net||87.121.52[.]252||2021-01-06||2021-10-06||Watering hole C&C server.|
|webfx[.]bz||94.140.114[.]247||2021-01-06||2021-03-24||Watering hole C&C server.|
|hotjar[.]net||5.206.224[.]226||2021-01-07||2021-08-02||Watering hole C&C server.|
|webffx[.]bz||83.171.236[.]3||2021-02-21||2021-03-27||Watering hole C&C server.|
|livesesion[.]bid||87.120.37[.]237||2021-03-17||2021-07-28||Watering hole C&C server.|
|webfex[.]bz||45.77.192[.]33||2021-02-26||N/A||Watering hole C&C server.|
|bootstrapcdn[.]net||188.93.233[.]162||2021-04-28||2021-07-28||Watering hole C&C server.|
|addthis[.]events||83.171.236[.]247||2021-04-29||2021-07-28||Watering hole C&C server.|
|cuturl[.]app||83.97.20[.]89||2020-11-02||2021-01-20||Malicious document C&C server.|
|cuturl[.]space||83.171.236[.]166||2021-01-25||2021-04-23||Malicious document C&C server.|
|useproof[.]cc||109.70.236[.]107||2020-11-25||2021-02-19||Candiru exploit delivery server.|
|4F824294BBECA4F4ABEEDE8648695EE1D815AD53||N/A||https://cuturl[.]app/sot2qq||Document with VBA macro.|
|96AC97AB3DFE0458B2B8E58136F1AAADA9CCE30B||copy_02162021q.doc||https://cuturl[.]space/lty7uw||Document with malicious VBA macro.|
|DA0A10084E6FE57405CA6E326B42CFD7D0255C79||seeIP.doc||https://cuturl[.]space/1hm39t||Document with VBA macro.|
MITRE ATT&CK techniques
This table was built using version 10 of the MITRE ATT&CK framework.
|Resource Development||T1583.001||Acquire Infrastructure: Domains||The operators bought domain names from multiple registrars, including Njalla.|
|T1583.004||Acquire Infrastructure: Server||The operators rented servers from multiple hosting companies. In 2020, they rented servers mainly from ServerAstra.|
|T1584.004||Compromise Infrastructure: Server||The operators compromised several high-profile websites.|
|T1588.001||Obtain Capabilities: Malware||The operators probably bought access to Candiru implants.|
|T1588.005||Obtain Capabilities: Exploits||The operators probably bought access to Candiru exploits.|
|Initial Access||T1189||Drive-by Compromise||Visitors to compromised websites may have received an exploit after their browser was fingerprinted.|
|T1566.001||Phishing: Spearphishing Attachment||The operators sent spearphishing emails with malicious Word documents.|
|Execution||T1059.005||Command and Scripting Interpreter: Visual Basic||The Word documents contain a VBA macro running code using the Document_Open function.|
|Command and Control||T1071.001||Application Layer Protocol: Web Protocols||The watering hole scripts communicate via HTTPS with the C&C servers.|