Watering hole attacks and exploit kits

Watering hole attacks and exploit kits – Indian gov site case

Pierluigi Paganini May 27, 2013

Number of Watering hole attacks is increasing, most of them based on well known exploit kits. The case of compromised Indian gov Web site leads to BlackHole

Watering Hole attacks increase in a meaningful way in the last years following a scaring trend, the technique is based on infection of website’s visitors, typically attackers use to compromise legitimate websites with a “drive-by” exploit.

Watering Hole technique has been observed since 2009 when civil society organizations were attacked with this method and used as a channel to deliver 0-day exploits to specific targets.

The techniques results ideal for the impairment of selected targets, individuals or limited communities, that search for specific contents proposed by website used to deliver malicious code.

Efficiency of Watering Hole attacks increase with the use made by attackers of zero-day exploits that affect victim’s software, in this case victims has no way to protect their systems from the malware diffusion.

Once a victim visits the page on the compromised website a backdoor trojan is installed on his computer, Watering Hole method of attacks is very common for cyber espionage operation or state sponsored attacks. Governments are the primary buyers for zero-day exploits that are used to exploit victim’s machine remaining uncovered for long periods, the capability to remain silent during the time is determinant for the success of the attack.

A recent post published by Dancho Danchev revealed that a Compromised Indian government Web site leads to Black Hole Exploit Kit, the researchers at Webroot firm detected the infection interested the web site of the Ministry of Micro And Medium Enterprises (MSME DI Jaipur).

The researchers tried to profile the campaign discovering that the Black Hole Exploit Kit serving URL was used for other previous client-side exploit serving campaigns, in 2012 the same IP was also seen in fact during a malvertising campaign.

The researchers provided in the post the list of malicious domain name used for the attack and sample of compromised URLs, following the details of the investigation.

Sample compromised URLs:
 hxxp://sisijaipur.gov.in/cluster_developement.html
 hxxp://msmedijaipur.gov.in/cluster_developement.html

Malicious domain names/redirectors reconnaissance:
 888-move-stuff.com – 50.63.202.21 – Email: van2move@yahoo.com
 888movestuff.com – 208.109.181.190 – Email: van2move@yahoo.com
 jobbelts.com (redirector/C&C) – 98.124.198.1 – 
 Email: aanelli@yahoo.com

More malicious domains are known to have been 
responding to the same IP in the past (98.124.198.1):
 adventure-holiday-specials.com
 appraisingla.com
 arc-res.com
 a-to-z-of-barbados.com
 bookmarkingdemonx.com
 ceointerns.com
 charityairsupport.org
 csepros.com
 dominateseowithwordpress.com
 enum365.com
 jobbelts.com
 karenbrowntx.com
 rankbuilder2.net
 seopressors.org
 stopchasingmoney.com
 thefamily4life.org
 ventergy.com

To have an idea of the efficiency of the malware used by attackers, known as Trojan:JS/BlacoleRef.W; Trojan-Downloader.JS.Iframe.czf having MD5 equal to 44a8c0b8d281f17b7218a0fe09840ce9, it is useful to evaluate the detection rate for the malware that is 24 out of 27 antivirus. Despite the The Black Hole Exploit Kit redirecting URL that compromised the Indian government Web site is currently not accepting any connections, the security experts at Webroot noted that it was working on 2012-07-03 08:04:36 delivering malicious content.

The Sample redirection chain discovered by the researcher is

Once exploited the client application on the victim’s machine it is dropped the Trojan-Ransom.Win32.Birele.vjr, aka PWS:Win32/Fareit.gen!C and then additional malware are downloaded from:

hxxp://euxtoncorinthiansfc.co.uk/pd.exe

hxxp://euxtoncorinthiansfc.co.uk/1689.exe

Attacks like this one are becoming very popular, early 2013 Solutionary’s Security Engineering Research Team published an interesting study that revealed the rise of exploit kits mainly originated in Russia.

BlackHole 2.0 is considered most popular and pervasive exploit kit despite it exploits fewer vulnerabilities than other kits do. Over 18% of the malware instance detected were directly attributed to The BlackHole exploit kit that is a web application that exploit known vulnerabilities in most popular applications, frameworks and browsers such as Adobe Reader, Adobe Flash and Java.

Watering Hole is much more efficient if compared to a spear phishing attack in which the success of the operation depend on the recipient clicking the link or opening an attachment. There’s an high probability that victim discard the malicious email, even if malware is able to elude antivirus detection due the presence of a zero-day exploit. Watering Hole allows to overcome this difficulty compromising and infect a website victim is likely to visit.

What to expect from the future?

Security experts have no doubts, the number of watering hole attacks is destined grow in the next months due the large diffusion of exploit kits in the black market and despite the impairment of a target website is much more difficult of other methods of attack.

Pierluigi Paganini

(Security Affairs – Watering Hole attack)

0-day cyber espionage Dancho Danchev exploit kit Black Hole malware spear phishing targeted attacks watering hole Webroot

Pierluigi Paganini October 08, 2025

DragonForce, LockBit, and Qilin, a new triad aims to dominate the ransomware landscape

Pierluigi Paganini October 08, 2025