A recent watering hole attack has been making waves in the cybersecurity community, as it employs a stealthy method to deliver malware to unsuspecting users. This attack leverages a compromised website to distribute malware, targeting specific accounts with Basic authentication credentials.
When a user visits the infected site, their system automatically downloads an LZH archive that contains an LNK file. Executing this LNK file triggers the installation of malware on the user’s system. This malicious webpage cloaks its activities by displaying a maintenance message to distract the user while silently downloading the LZH file containing malware.
Moreover, the website provides a link to download Lhaplus, a legitimate decompression tool, to encourage users to extract the malicious payload unknowingly. This tactic increases the chances of infection, as users are more likely to trust a seemingly harmless tool like Lhaplus.
The attack takes advantage of an LNK file that contains Base64-encoded ZIP and VBS files. When the LNK file is executed, it extracts these components, leading to the initiation of malicious activities on the user’s system. The VBS script decodes and extracts the malicious ZIP archive, setting the stage for a potential malware infection.
To further obfuscate its activities, the malware utilizes a legitimate process (iusb3mon.exe) to load a malicious DLL (SQRoot) in a new session named “newimp.” This method bypasses normal loading mechanisms, making it harder for security measures to detect the malicious activities.
The SQRoot malware operates using a modular approach, downloading plugins from a command-and-control server to enhance its capabilities. These functionalities include downloading and executing Remote Access Trojans (RATs) and executing shellcode to carry out various malicious activities.
The malware communicates with the C2 server using ChaCha20 encryption, embedding unique identifiers in the User-Agent header and a random string in the x-auth header for identification and authentication purposes. Additionally, the malware restricts communication with the C2 server to specific business hours, sending dummy traffic during off-hours to obscure its real interactions.
One of the downloaded plugins triggers the download of the SQRoot RAT, a malicious BPM file that exhibits restricted C2 communication, only operating on weekdays between 9:00 AM and 6:00 PM. This limited communication window ensures that the malware remains stealthy and avoids detection during certain times.
The SQRoot malware injects itself into a legitimate file (nvSmart.exe) and loads additional plugins, such as a keylogger, to steal information from the infected device. According to JPCERT/CC, the attack associated with this malware strain leveraged a watering hole technique and was linked to APT10, indicating a potential threat from advanced threat actors.
The attackers compromised the website using a Weevely web shell, allowing them persistent remote access to the site and facilitating the initial infection vector. This tactic demonstrates the sophistication and persistence of the attackers in targeting specific users and organizations.
In conclusion, the watering hole attack described above highlights the evolving nature of cyber threats and the need for robust security measures to protect against such malicious activities. It serves as a reminder for users to exercise caution while browsing the internet and to implement strong cybersecurity practices to safeguard their systems and data from potential threats.