ESET Finds Candiru Campaign On UK, Middle East Websites

ESET Research has discovered watering hole attacks on websites in the UK and Middle East with links to Candiru spyware.

Earlier this month the United States added Israeli surveillance specialist NSO Group, and another Israeli spyware firm Candiru, to its Entity list.

It also added a Russian firm and a business in Singapore to the trade blacklist.

Now ESET researchers have found strategic web compromise (aka watering hole) attacks against high-profile websites in the Middle East, the UK and elsewhere.

Website compromises

ESET undercovered a campaign of strategic web compromises targeting the websites of media, government, internet service providers (ISPs) and aerospace/military tech companies, with links to the Middle East and a strong focus on Yemen and the surrounding conflict.

The targets are said to be located in the Middle East: Iran, Saudi Arabia, Syria, Yemen; in Europe: Italy, UK; and in South Africa.

The attackers also created a website mimicking a medical trade fair in Germany.

And ESET researchers said the campaign has strong links to Candiru, the mysterious Israeli spyware firm recently blacklisted by the US Department of Commerce, that sells state-of-the-art offensive software tools and services to government agencies.

So who was compromised?

Well, ESET says the compromised websites belong to media outlets in the UK, Yemen, and Saudi Arabia, as well as to Hezbollah; to government institutions in Iran (Ministry of Foreign Affairs), Syria (including the Ministry of Electricity), and Yemen (including the Ministries of Interior and Finance); to internet service providers in Yemen and Syria; and to aerospace/military technology companies in Italy and South Africa.

Watering hole attacks

A watering hole attack compromises websites that are likely to be visited by targets of interest, thus opening the door to the infestation of a website visitor’s machine.

In this campaign, specific visitors of these websites were likely attacked via a browser exploit.

However, ESET researchers were unable to get hold of either an exploit or the final payload.

This shows that the threat actors have chosen to narrow the focus of their operations and don’t want to burn their zero-day exploits, demonstrating how highly targeted this campaign is, ESET stated.

The compromised websites are only used as a jumping-off point to reach the final targets.

Attack vectors

“Back in 2018, we developed a custom in-house system to uncover watering holes on high-profile websites,” said ESET researcher Matthieu Faou, who uncovered the watering hole campaigns.

“On July 11, 2020, our system notified us that the website of the Iranian embassy in Abu Dhabi had been tainted with malicious JavaScript code,” said Faou. “Our curiosity was aroused by the high-profile nature of the targeted website, and in the following weeks we noticed that other websites with connections to the Middle East were also targeted.”

“The threat group went quiet until January 2021, when we observed a new wave of compromises,” Faou added. “This second wave lasted until August 2021, when all websites were cleaned again as was the case in 2020 – likely by the perpetrators themselves.”

“The attackers also mimicked a website belonging to the World Forum for Medicine’s MEDICA Trade Fair held in Düsseldorf, Germany,” said Faou. “The operators cloned the original website and added a small piece of JavaScript code. It is likely that the attackers were not able to compromise the legitimate website and had to set up a fake one in order to inject their malicious code.”

During the 2020 campaign, ESET said that the malware checked the operating system and web browser. As the selection process was based on computer software, the campaign was not targeting mobile devices. In the second wave, in order to be a bit stealthier, the attackers started to modify scripts that were already on the compromised websites.

“In a blogpost about Candiru by Citizen Lab at the University of Toronto, the section called ‘A Saudi-Linked Cluster?’ mentions a spear phishing document that was uploaded to Virus Total and multiple domains operated by the attackers. The domain names are variations of genuine URL shorteners and web analytics websites, which is the same technique used for the domains being seen in the watering hole attacks,” explains Faou, linking the attacks to Candiru.

Therefore, there is a significant likelihood that the operators of the watering hole campaigns are customers of Candiru,” said ESET. The creators of the documents and the operators of the watering holes are also potentially the same.

The good news is that ESET stopped seeing activity from this operation at the end of July 2021, shortly after the release of blogposts by the Citizen Lab, Google, and Microsoft detailing the activities of Candiru.

ESET said that the operators appear to be taking a pause, probably in order to retool and make their campaign stealthier, but it expects them back in the ensuing months.