# Strategic web compromises in the Middle East with a pinch of Candiru **[welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/](https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/)** November 16, 2021 ESET researchers have discovered strategic web compromise (aka watering hole) attacks against high‑profile websites in the Middle East [Matthieu Faou](https://www.welivesecurity.com/author/mfaou/) 16 Nov 2021 - 04:34PM ESET researchers have discovered strategic web compromise (aka watering hole) attacks against high‑profile websites in the Middle East Back in 2018, ESET researchers developed a custom in-house system to uncover watering hole attacks (aka strategic web compromises) on high-profile websites. On July 11, 2020 it notified us that the website of the Iranian embassy inth Abu Dhabi had been modified and had started injecting JavaScript code from https://piwiks[.]com/reconnect.js, as shown in Figure 1. ----- _Figure 1. Script injection on the website of the Iranian Embassy in Abu Dhabi_ Our curiosity was aroused by the nature of the targeted website and in the following weeks we noticed that other websites with connections to the Middle East started to be targeted. We traced the start of the campaign back to March 2020, when the piwiks[.]com domain was re-registered. We believe that the strategic web compromises only started in April 2020 when the website of the Middle East Eye (middleeasteye.net), a London-based digital news site covering the region, started to inject code from the piwiks[.]com domain. At the end of July or the beginning of August 2020, all remaining compromised websites were cleaned; it is probable that the attackers themselves removed the malicious scripts from the compromised websites. The threat group went quiet until January 2021, when we observed a new wave of compromises. This second wave lasted until August 2021, when all [websites were cleaned again. A few indicators from this second wave were shared on Twitter by a fellow researcher,](https://twitter.com/felixaime/status/1417928699513610241) which allows us to make a link with what Kaspersky tracks as Karkadann. We detail the inner working of the compromises in the Technical analysis section, below, but it is worth noting that the final targets are specific visitors of those websites, who are likely to receive a browser exploit. The compromised websites are only used as a hop to reach the final targets. We also uncovered interesting links with Candiru, detailed in the section Links between the watering holes, spearphishing _[documents and Candiru. Candiru is a private Israeli spyware firm that was recently added to the Entity List (entities](https://www.commerce.gov/news/press-releases/2021/11/commerce-adds-nso-group-and-other-foreign-companies-entity-list)_ subject to licensing restrictions) of the US Department of Commerce. This may prevent any US‑based organization from doing business with Candiru without first obtaining a license from the Department of Commerce. At the time of writing, it seems that the operators are taking a pause, probably in order to retool and make their campaign stealthier. We expect to see them back in the ensuing months. ## Targeting Our tracking shows that the operators are mostly interested in the Middle East, with a particular emphasis on Yemen. Table 1 shows the known targets in 2020 and 2021. _Table 1. Domains compromised during the first wave_ **Compromised website** **C&C** **From** **To** **Detail** ----- **Compromised website** **C&C** **From** **To** **Detail** middleeasteye.net piwiks[.]com 2020‑04‑04 2020‑04‑06 A UK-based online newspaper covering the Middle East. piaggioaerospace.it piwiks[.]com 2020-07-08 2020-11-05 An Italian aerospace company. medica-tradefair[.]co rebrandly[.]site 2020-07-09 2020-10-13 Fake website impersonating a German medical trade fair in Düsseldorf. mfa.gov.ir piwiks[.]com 2020-07-11 2020-07-13 Ministry of Foreign Affairs of Iran. almanar.com.lb rebrandly[.]site 2020-07-24 2020-07-30 Television channel linked to Hezbollah. smc.gov.ye visitortrack[.]net hotjar[.]net almasirahnews.com visitortrack[.]net hotjar[.]net 2021-01-18 2021-04-21 2021-01-25 2021-04-21 2021-04-14 2021-07-30 2021-03-25 2021-07-17 Ministry of Interior of Yemen. Yemeni Television channel linked to the Ansar Allah movement (Houthis). casi.gov.sy hotjar[.]net 2021-02-01 Unknown Central Authority for the Supervision and Inspection of Syria. moe.gov.sy hotjar[.]net 2021-02-01 Unknown Syrian Ministry of Electricity. almanar.com.lb webfx[.]bz webffx[.]bz webffx[.]bz 2021-02-03 2021-03-12 2021-03-24 2021-02-23 2021-03-24 2021-03-25 Television channel linked to Hezbollah. manartv.com.lb webfx[.]bz 2021-02-03 2021-03-22 Television channel linked to Hezbollah. mof.gov.ye hotjar[.]net 2021-02-11 2021-07-14 Ministry of Finance of Yemen. scs-net.org hotjar[.]net 2021-03-07 Unknown Internet Service Provider in Syria. customs.gov.ye livesesion[.]bid 2021-03-24 2021-06-16 Customs agency of Yemen. denel.co.za pmp.co.za deneldynamics.co.za denellandsystems.co.za denelaviation.co.za site-improve[.]net 2021-03-31 2021-03-31 2021-04-03 2021-04-04 2021-04-07 2021-07-22 Unknown 2021-07-27 2021-07-23 2021-07-19 A South African state-owned aerospace and military technology conglomerate. yemen.net.ye hotjar[.]net 2021-04-15 2021-08-04 Internet service provider in Yemen. yemenparliament.gov.ye hotjar[.]net 2021-04-20 2021-07-05 Parliament of Yemen. yemenvision.gov.ye hotjar[.]net 2021-04-21 2021-06-13 Yemeni government website. mmy.ye hotjar[.]net 2021-05-04 2021-08-19 Yemeni media linked to the Houthis. thesaudireality.com bootstrapcdn[.]net 2021-06-16 2021-07-23 Likely dissident media outlet in Saudi Arabia. saba.ye addthis[.]events 2021-06-18 Unknown Yemeni news agency linked to Houthis. However, it seems it was taken over by the Southern Transitional Council in early June 2021, just before this website was compromised. medica-tradefair[.]co is the outlier in this list, as it was not compromised but was operated by the attackers themselves. It was hosted at ServerAstra, as were all the other C&C servers used in 2020. It mimics the legitimate website medica-tradefair.com, which is the website of the World Forum for Medicine’s MEDICA Trade Fair held in Düsseldorf (Germany) each year. The operators simply cloned the original website and added a small piece of JavaScript code. ----- As seen in Figure 2, the content doesn t seem to have been modified. It is likely that attackers were not able to compromise the legitimate website and had to set up a fake one in order to inject their malicious code. _Figure 2. Cloned version of the Medica Trade Fair website_ It is interesting to note that the malicious domains mimic genuine web analytics, URL shortener or content delivery network domains and URLs. This is a characteristic of this threat actor. ## Technical analysis – Strategic web compromises ### First wave – 2020 **_First stage – Injected script_** All compromised websites were injecting JavaScript code from the attacker-controlled domains piwiks[.]com and rebrandly[.]site. In the first known case, the injection is as shown in Figure 3. ----- _Figure 3. Script injection on the website of the Iranian Embassy in Abu Dhabi_ This injection loads a remote JavaScript named reconnects.js and a legitimate third-party library, GeoJS, for IP geolocation lookup. In the cases of rebrandly[.]site injections, the additional scripts are loaded using HTML script tags, as seen in Figure 4. _Figure 4. Script injected into the medica-tradefair[.]co website_ **_Second stage – Fingerprinting script_** reconnects.js and recon-api.js are almost identical; only the order of some lines or functions are changed. As shown in Figure 5, the malware authors tried to avoid raising suspicions by prepending their script with a copy of the jQuery Browser Plugin header. They were probably hoping that malware analysts would not scroll further. ----- _Figure 5. Beginning of the fingerprinting script used in the first wave_ The script first implements a function named geoip. It is automatically called by the GeoJS library, previously loaded, as [mentioned on the official GeoJS website. The variable json contains the IP geolocation information. The script sends this](https://www.geojs.io/) JSON via an HTTP POST request to the C&C server at the URL https://rebrandly[.]site/reconnect-api.php. If the server returns an HTTP 200 status code, then the script proceeds to a function named main. First, main gathers information such as the operating system version and the browser version using custom functions shown in Figure 6. They simply parse the browser User-Agent to extract information. ----- _Figure 6. OS and browser fingerprinting functions_ As shown in Figure 7, the function then checks whether the operating system is either Windows or macOS and only continues if so. This is interesting because it suggests that this operation is intended to compromise computers and not mobile devices such as smartphones. It also checks for a list of common web browsers: Chrome, Firefox, Opera, IE, Safari and Edge. _Figure 7. The main function of the fingerprinting script used in the first wave_ The script also encrypts a hardcoded value, 1122, although we don’t know for what purpose. Despite the function being named decrypt, it actually encrypts using RSA and the library JSEncrypt. The 1024-bit RSA key is hardcoded and set to: ----- BEGIN PUBLIC KEY MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDhIxVX6QGlxe1mrkPCgBtz8bWH nzmek4He5caAE2sH2TFnXN1VdqpxMaJSi+dj9sbqHu0tSYd+5tU20514jlEOX6/D yFFPCoOvx5TzAm+AkSmevUuMsfZTifK+wQRxRhiuMk2UbnVCVQS0CJDoPTl8Blsp 1oCEF2Kz7uIb0pea3QIDAQAB —–END PUBLIC KEY—– Then, the script sends an HTTPS GET request to the C&C server rebrandly[.]site. The id parameter contains the fingerprint data and the last parameter value contains the country provided by the GeoJS library. If the server returns a reply, it is decrypted using AES from the CryptoJS library, and a hardcoded key flcwsfjWCWEcoweijwf@#$@#$@#499299234@#$!@2. This key stayed the same, even after we tried a few requests. The decrypted value is supposedly a URL and a new iframe pointing to this URL is created. We were unable to get any valid answer but we believe it leads to a browser remote code execution exploit that allows an attacker to take control of a machine. ### Second wave – 2021 In January 2021, a new wave of attacks started. The attackers created an entirely new network infrastructure and changed all their JavaScript code. **_First stage – Injected script_** In order to be a bit stealthier still, in this second wave, they started to modify scripts that were already on the compromised website. So instead of adding code to the main HTML page, they modified libraries such as wp-embed.min.js, as seen in Figure 8. They simply added a few lines at the end of https://www.smc.gov.ye/wp-includes/js/wp-embed.min.js to load a script from a server they control: https://visitortrack[.]net/sliders.js. _Figure 8. Injected script used in the second wave_ Another strategy used to limit their exposure is to create a cookie the first time the visitor executes the malicious script, as shown in Figure 9. As the script is conditionally injected depending on whether the cookie already exists, this will prevent further injections. This specific code was found on the website of the Syrian Central Authority for the [sic] Supervision and Inspection (casi.gov.sy). _Figure 9. Cookie creation to avoid further requests_ **_Second stage_** ----- [From January to March 2021, for the second stage script, the operators used a script based on the minAjax library. This is](https://github.com/flouthoc/minAjax.js) not a fingerprinting script per se as it doesn’t send any information about the browser or the operating system to the C&C [server – an example is shown in Figure 10. It should be noted that very similar scripts are used by the LNKR adware, so a](https://www.netskope.com/fr/blog/lnkr-makes-a-comeback-this-ads-for-us) detection on this might lead to a high volume of false positives. _Figure 10. Second-stage script of the second wave_ This script contains the current timestamp, t0, an expiration timestamp, ex, and two hashes juh and cs, whose significance we don’t know at present. These values are sent to the C&C server https://webfex[.]bz/f/gstats. If the reply is a JSON object and contains the fw key, the script issues a redirection to the URL contained in fw using parent.top.window.location.href. As with the first wave, we were not able to get any valid redirect. [In April 2021, this script was changed to FingerprintJS Pro. This is a commercial product whose developers have an](https://fingerprintjs.com/) official website shown in Figure 11. ----- _Figure 11. Home page of FingerprintJS_ In comparison to the fingerprinting script used in 2020, this is far more complex because it retrieves the default language, the list of fonts supported by the browser, the time zone, the list of browser plugins, the local IP addresses using RTCPeerConnection, and so on. Network communications with the C&C server are encrypted with an AES session key. As shown in Figure 12, the server can return JavaScript code that will be executed in the context of the current web page. _Figure 12. FingerprintJS Pro adds JavaScript code to the current page_ As with the previous cases, we never got a valid redirect. We still believe it leads to a browser exploit and it shows that this campaign is highly targeted. ### Spearphishing documents and links with Candiru **_Reminder of the Citizen Lab publication_** In the _[Citizen Lab Candiru blogpost, there is a section called A Saudi-Linked Cluster?. It mentions](https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/)_ _a spearphishing_ _document that was uploaded to VirusTotal._ ----- The C&C server used by this document is https://cuturl[.]space/lty7uw and VirusTotal captured a redirection from this URL to https://useproof[.]cc/1tUAE7A2Jn8WMmq/api. The domain useproof[.]cc was resolving to 109.70.236[.]107 and, according to the Citizen Lab, this server matched their so-called CF3 fingerprint for Candiru C&C servers. This domain was registered via Porkbun, as are most Candiru-owned domains. Two domains resolving to the same IP address caught our attention: webfx[.]cc engagebay[.]cc The same second-level domains, with a different TLD, were used in the second wave of strategic web compromises. These two domains in the .cc TLD are most likely operated by Candiru too. The Citizen Lab report mentions a few domains similar to cuturl[.]space, which we detail in Table 2. _Table 2. Domains similar to cuturl[.]space_ **Domain** **Registrar** **IP** **Hosting Provider** llink[.]link Njalla 83.171.237[.]48 Droptop instagrarn[.]co TLD Registrar Solutions 83.97.20[.]89 M247 cuturl[.]app TLD Registrar Solutions 83.97.20[.]89 M247 url-tiny[.]co TLD Registrar Solutions 83.97.20[.]89 M247 bitly[.]tel Njalla 188.93.233[.]149 Dotsi These domain names mimic URL shorteners and the Instagram social media website and were registered through Njalla and TLD Registrar Solutions Ltd. This reminds us of the domains used for the strategic web compromises that are all variations of genuine web analytics websites and were also registered via Njalla. We also independently confirmed that the servers to which these domains were resolving were configured in a similar fashion. Thus, we believe that this set of websites is controlled by the same threat group that created the documents. Conversely, the domain useproof[.]cc is most likely operated in-house by Candiru and is used to deliver exploits. ### Links between the watering holes, spearphishing documents and Candiru Table 3 summarizes the characteristics of the watering holes, the documents found by Citizen Lab, and Candiru. _Table 3. Summary of links between the three clusters (watering holes, documents found by Citizen Lab and Candiru)_ **Watering holes** **Cluster of** **documents** **Candiru** **Registrars** Mainly Njalla Njalla and TLD Registrar Solutions **Hosting** **providers** **Domain** **themes** ServerAstra, Droptop, Neterra, Net Solutions, The Infrastructure Group, Sia Nano and FlokiNET Analytics and URL shortener services URL shortener services Droptop, M247 and Dotsi Porkbun M247, QuadraNet, etc. Analytics, URL shortener services, media outlets, tech companies, government contractors, etc. **Victimology** Middle East Middle East Middle East, Armenia, Albania, Russia, Uzbekistan, etc. **Targeted** **platforms** Windows and macOS Windows Windows and macOS ----- **Watering holes** **Cluster of** **documents** **Candiru** **TTPs** Strategic web compromises Malicious documents with Document_Open macros Malicious documents and fake shortened URLs redirecting to exploits and the [DevilsTongue implant.](https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/) What is interesting to note is that the watering holes are limited to a quite narrow victimology. We also noted that domains known to be operated by Candiru (webfx[.]cc for example) are very similar to domains used for the watering holes (webfx[.]bz). However, they were not registered in the same fashion and their servers are configured very differently. [In July 2021, Google published a blogpost providing details on exploits used by Candiru. It includes CVE‑2021-21166 and](https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/) CVE-2021-30551 for Chrome and CVE-2021-33742 for Internet Explorer. They are full remote code execution exploits that allow an attacker to take control of a machine by making the victim visit a specific URL that then delivers the exploit. This shows Candiru has the capabilities to exploit browsers in a watering hole attack. Hence, we believe that the watering holes behave similarly to the documents. The first C&C server, injected in the compromised websites, would redirect to another C&C server, owned by a spyware firm such as Candiru and delivering a browser exploit. Based on this information, we assess: with low confidence that the creators of the documents and the operators of the watering holes are the same. with medium confidence that the operators of the watering holes are customers of Candiru. ## Conclusion This report describes two strategic web compromise campaigns targeting high-profile organizations in the Middle East, with a strong focus on Yemen. We also revealed links to Candiru, a spyware firm, that sells state‑of‑the‑art offensive software tools and related services to government agencies. We were unable to get an exploit and the final payload. This shows that the operators choose to narrow the focus of their operations and that they don’t want to burn their zero-day exploits. We stopped seeing activity from this operation at the end of July 2021, shortly after the release of blogposts by the Citizen Lab, Google and Microsoft detailing the activities of Candiru. _[A comprehensive list of Indicators of Compromise (IoCs) and samples can be found in our GitHub repository.](https://github.com/eset/malware-ioc/tree/master/swc-candiru)_ _For any inquiries, or to make sample submissions related to the subject, contact us at threatintel@eset.com._ ## Indicators of Compromise ### Legitimate, historically compromised websites **Compromised website** **From** **To (treat as a lower bound)** middleeasteye.net 2020-04-04 2020-04-06 piaggioaerospace.it 2020-07-08 2020-11-05 mfa.gov.ir 2020-07-11 2020-07-13 almanar.com.lb 2020-07-24 2020-07-30 smc.gov.ye 2021-01-18 2021-04-21 almasirahnews.com 2021-01-25 2021-04-21 2021-04-14 2021-07-30 2021-03-25 2021-07-17 ----- **Compromised website** **From** **To (treat as a lower bound)** casi.gov.sy 2021-02-01 Unknown moe.gov.sy 2021-02-01 Unknown almanar.com.lb 2021-02-03 2021-03-12 2021-02-23 2021-03-25 manartv.com.lb 2021-02-03 2021-03-22 mof.gov.ye 2021-02-11 2021-07-14 scs-net.org 2021-03-07 Unknown customs.gov.ye 2021-03-24 2021-06-16 denel.co.za 2021-03-31 2021-07-22 pmp.co.za 2021-03-31 Unknown deneldynamics.co.za 2021-04-03 2021-07-27 denellandsystems.co.za 2021-04-04 2021-07-23 denelaviation.co.za 2021-04-07 2021-07-19 yemen.net.ye 2021-04-15 2021-08-04 yemenparliament.gov.ye 2021-04-20 2021-07-05 yemenvision.gov.ye 2021-04-21 2021-06-13 mmy.ye 2021-05-04 2021-08-19 thesaudireality.com 2021-06-16 2021-07-23 saba.ye 2021-06-18 Unknown ### C&C servers **Last** **seen** **Details** **Domain** **IP** **First** **seen** piwiks[.]com 91.219.236[.]38 2020-0331 Watering hole C&C server. Watering hole C&C server. Fake website impersonating a German medical conference. Unknown. Unknown. Unknown. Unknown. rebrandly[.]site 91.219.239[.]191 91.219.236[.]38 2020-0320 2020-0713 2020-0729 2020-0710 2020-0929 2021-1020 2020-0319 2020-0416 2020-0416 2020-0416 medica-tradefair[.]co 91.219.236.50 2021-0628 bitly[.]bz 91.219.239[.]191 2020-0319 tinyurl[.]ist 91.219.239[.]191 2020-0319 tinyurl[.]bz 91.219.239[.]191 2020-0320 bit-ly[.]site 91.219.239[.]191 2020-0325 ----- **Last** **seen** **Details** **Domain** **IP** **First** **seen** bitly[.]tw 91.219.239[.]191 2020-0326 bitly[.]zone 91.219.239[.]191 2020-0326 shortlinkcut[.]link 91.219.239[.]191 2020-0326 tinyurl[.]one 91.219.239[.]191 2020-0326 tinyurl[.]photos 91.219.239[.]191 2020-0326 tinyurl[.]plus 91.219.239[.]191 2020-0326 site-improve[.]net 185.165.171[.]105 2021-0106 clickcease[.]app 83.171.236[.]147 2021-0106 visitortrack[.]net 87.121.52[.]252 2021-0106 webfx[.]bz 94.140.114[.]247 2021-0106 livesession[.]bid 5.206.224[.]197 2021-0106 engagebay[.]app 185.82.126[.]104 2021-0107 hotjar[.]net 5.206.224[.]226 2021-0107 webffx[.]bz 83.171.236[.]3 2021-0221 engagebaay[.]app 5.206.227[.]93 2021-0307 livesesion[.]bid 87.120.37[.]237 2021-0317 sitei-mprove[.]net 87.121.52[.]9 2021-0317 webfex[.]bz 45.77.192[.]33 2021-0226 bootstrapcdn[.]net 188.93.233[.]162 2021-0428 addthis[.]events 83.171.236[.]247 2021-0429 sherathis[.]com 5.206.224[.]54 2021-0627 yektenet[.]com 5.2.75[.]217 2021-0627 2020-0416 2020-0416 2020-0416 2020-0416 2020-0416 2020-0416 2021-0721 2021-0728 2021-1006 2021-0324 2021-0725 2021-0519 2021-0802 2021-0327 2021-0727 2021-0728 2021-0727 2021-0728 2021-0728 2021-0801 2021-0727 Unknown. Unknown. Unknown. Unknown. Unknown. Unknown. Watering hole C&C server. Unknown. Watering hole C&C server. Watering hole C&C server. Unknown. Unknown. Watering hole C&C server. Watering hole C&C server. Unknown. Watering hole C&C server. Unknown. N/A Watering hole C&C server. Watering hole C&C server. Watering hole C&C server. Unknown. Unknown. ----- **Last** **seen** **Details** **Domain** **IP** **First** **seen** staticdoubleclick[.]net codeafsanalytics[.]com 87.121.52[.]128 2021-0627 83.171.236[.]225 2021-0627 2021-0727 2021-0728 2021-0724 2021-0723 2021-0718 2021-0501 2021-0123 2021-0120 2020-1125 2021-0311 2021-0423 2021-0219 Unknown. Unknown. Unknown. Unknown. Unknown. Unknown. Unknown. Malicious document C&C server. Unknown. Unknown. Malicious document C&C server. Candiru exploit delivery server. fonts-gstatic[.]net 83.171.239[.]172 2021-0627 moatads[.]co 87.121.52[.]144 2021-0627 doubleclick[.]ac 5.2.67[.]82 2021-0627 llink[.]link 83.171.237[.]48 2021-0125 instagrarn[.]co 83.97.20[.]89 2020-1102 cuturl[.]app 83.97.20[.]89 2020-1102 url-tiny[.]co 83.97.20[.]89 2020-1102 bitly[.]tel 188.93.233[.]149 2021-0125 cuturl[.]space 83.171.236[.]166 2021-0125 useproof[.]cc 109.70.236[.]107 2020-1125 ### Files **SHA-1** **Filename** **C&C URL** **Comment** 4F824294BBECA4F4ABEEDE8648695EE1D815AD53 N/A https://cuturl[.]app/sot2qq Document with VBA macro. 96AC97AB3DFE0458B2B8E58136F1AAADA9CCE30B copy_02162021q.doc https://cuturl[.]space/lty7uw Document with malicious VBA macro. DA0A10084E6FE57405CA6E326B42CFD7D0255C79 seeIP.doc https://cuturl[.]space/1hm39t Document with VBA macro. ## MITRE ATT&CK techniques _[This table was built using version 10 of the MITRE ATT&CK framework.](https://attack.mitre.org/resources/versions/)_ **Tactic** **ID** **Name** **Description** ----- **Tactic** **ID** **Name** **Description** Resource Development [T1583.001](https://attack.mitre.org/versions/v10/techniques/T1583/001) Acquire Infrastructure: Domains The operators bought domain names from multiple registrars, including Njalla. [T1583.004](https://attack.mitre.org/versions/v10/techniques/T1583/004) Acquire Infrastructure: Server [T1584.004](https://attack.mitre.org/versions/v10/techniques/T1584/004) Compromise Infrastructure: Server [T1588.001](https://attack.mitre.org/versions/v10/techniques/T1588/001) Obtain Capabilities: Malware [T1588.005](https://attack.mitre.org/versions/v10/techniques/T1588/005) Obtain Capabilities: Exploits [T1608.004](https://attack.mitre.org/versions/v10/techniques/T1608/004) Stage Capabilities: Drive-by Target The operators rented servers from multiple hosting companies. In 2020, they rented servers mainly from ServerAstra. The operators compromised several high-profile websites. The operators probably bought access to Candiru implants. The operators probably bought access to Candiru exploits. The operators modify more than twenty highprofile websites to add a piece of JavaScript code that loads additional code from their C&C servers. Initial Access [T1189](https://attack.mitre.org/versions/v10/techniques/T1189) Drive-by Compromise Visitors to compromised websites may have received an exploit after their browser was fingerprinted. [T1566.001](https://attack.mitre.org/versions/v10/techniques/T1566/001) Phishing: Spearphishing Attachment The operators sent spearphishing emails with malicious Word documents. Execution [T1059.005](https://attack.mitre.org/versions/v10/techniques/T1059/005) Command and Scripting Interpreter: Visual Basic The Word documents contain a VBA macro running code using the Document_Open function. Command and Control [T1071.001](https://attack.mitre.org/versions/v10/techniques/T1071/001) Application Layer Protocol: Web Protocols The watering hole scripts communicate via HTTPS with the C&C servers. 16 Nov 2021 - 04:34PM ### Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center ----- ### Newsletter Discussion -----