{"id":57386,"date":"2024-10-14T00:00:00","date_gmt":"2024-10-14T00:00:00","guid":{"rendered":"urn:uuid:70d0c294-6cbf-357c-2f72-aa0d1b449844"},"modified":"2024-10-14T00:00:00","modified_gmt":"2024-10-14T00:00:00","slug":"water-makara-uses-obfuscated-javascript-in-spear-phishing-campaign-targets-brazil-with-astaroth-malware","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/water-makara-uses-obfuscated-javascript-in-spear-phishing-campaign-targets-brazil-with-astaroth-malware\/","title":{"rendered":"Water Makara Uses Obfuscated JavaScript in Spear Phishing Campaign, Targets Brazil With Astaroth Malware"},"content":{"rendered":"

<\/p>\n

<\/div>\n
\n
\n

We track this intrusion set as Water Makara, which uses the Astaroth malware with a new defense evasion technique. Astaroth<\/a>, a notorious information-stealing banking trojan, remains active and is anticipated to persist into 2024. In this blog, we\u2019ll explore the tactics used by Water Makara and share best practices that can be taken to strengthen defenses against such threats.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

Figure 2 illustrates the infection chain of the malware, from how the malicious attachment is delivered and how it intends to be executed. The attack begins with a spear phishing email that is designed to appear legitimate and credible, often impersonating well-known organizations or official entities. This common social engineering tactic could trick the recipient into downloading the malicious ZIP attachment.<\/p>\n

Figure 3 presents an example of an Astaroth phishing email, sourced from a threat hunter on Twitter<\/a> with the user @9823f_. The email\u2019s content pertains to \u201cAviso de Irregularidade,\u201d which translates to \u201cNotice of Irregularity.\u201d This term refers to a formal notification issued by authorities, typically related to taxes or compliance indicating the presence of discrepancies or issues that require attention.<\/p>\n

The ZIP file, in turn, contains a malicious LNK file. Although the originally mentioned ZIP file is unavailable, we have sourced a similar email sample separately to analyze. In this instance, the downloaded a ZIP file is labeled \u201cIRPF20248328025.zip\u201d where \u201cIRPF\u201d refers to \u201cImposto de Renda da Pessoa F\u00edsica,\u201d which translates to \u201cPersonal Income Tax.\u201d Due to the familiarity and significance of personal income tax documents, potential victims are more inclined to trust and open or extract this file. In addition to \u201cIRPF\u201d, the file also uses other names designed to trick the user into downloading and extracting the ZIP file. The LNK file, when executed by the user, runs embedded malicious JavaScript commands.<\/b><\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

Aside from the LNK file, the ZIP file also contains another file that has similar obfuscated JavaScript commands. Initially, this file is Base64-encoded, and decoding reveals the hidden malicious scripts. Employing various file formats to spread malware is a tactic commonly seen in drive-by downloads. By embedding malicious code into seemingly benign files, they trick users into executing the malicious payload.<\/b><\/p>\n

In this campaign, there are multiple variants or file extensions used, namely, .pdf, .jpg, .png, .gif, .mov, and .mp4.<\/p>\n

Figure 6 shows the content of the LNK file. In this example, we analyzed a sequence of commands used to execute a malicious JavaScript hidden within the LNK file. Each command plays a specific role, contributing to the overall execution of the attack:<\/p>\n