We also uncovered interesting links with Candiru, detailed in the section Links between the watering holes, spearphishing documents and Candiru.
The compromised websites are only used as a hop to reach the final targets. We detail the inner working of the compromises in the Technical analysis section, below, but it is worth noting that the final targets are specific visitors of those websites, who are likely to receive a browser exploit. A few indicators from this second wave were shared on Twitter by a fellow researcher, which allows us to make a link with what Kaspersky tracks as Karkadann. This second wave lasted until August 2021, when all websites were cleaned again.
The threat group went quiet until January 2021, when we observed a new wave of compromises.
#KASPERSKY INTERNET SECURITY 2018 KASPERSKY LAB CODE#
We believe that the strategic web compromises only started in April 2020 when the website of the Middle East Eye ( ), a London-based digital news site covering the region, started to inject code from the piwikscom domain.Īt the end of July or the beginning of August 2020, all remaining compromised websites were cleaned it is probable that the attackers themselves removed the malicious scripts from the compromised websites. We traced the start of the campaign back to March 2020, when the piwikscom domain was re-registered. Our curiosity was aroused by the nature of the targeted website and in the following weeks we noticed that other websites with connections to the Middle East started to be targeted. Script injection on the website of the Iranian Embassy in Abu Dhabi