noodls browser compatibility check

The security settings of your browser are blocking the execution of scripts.

To use noodls, javascript support must be enabled. Please change your browser's security settings to enable javascript.

If you have changed your browser's security settings, you can click here.

related announcements

News

Technology

Trend Micro Inc.

10/14/2024 | News release | Distributed by Public on 10/14/2024 02:29

Water Makara Uses Obfuscated JavaScript in Spear Phishing Campaign, Targets Brazil With Astaroth Malware

The URLs share several similarities and patterns. In this example, the URLs contain the domain patrimoniosoberano[.]world. This indicates that they belong to the same domain but might point to different subdomains or paths within that domain.

Each URL has a unique subdomain but follows a similar naming scheme:

hxxps[://]pritonggopatrimoniosoberano[.]world/?5/
hxxps[://]pritongongor[.]patrimoniosoberano[.]world/?5/
hxxps[://]spunalu[.]patrimoniosoberano[.]world/?5/
hxxps[://]sprunal[.]patrimoniosoberano[.]world/?5/

Additionally, each URL ends with the similar path, /?5/. There might be some commonality in the resource they are pointing to or in the way the parameters are structured in the URLs. The technique they use is called domain generation algorithm (DGA), a method used by various malware to create a large number of domain names algorithmically.

Based on list of indicators of compromise (IoCs), the second-level domain (SDL) of the URLs has a similar structure and potentially the same C&C servers used by Astaroth. While Trend Micro has already neutralized the known behaviors associated to this malware, it is crucial for users to remain vigilant and aware of the risks posed by this phishing attack.

We are actively monitoring this intrusion set. As of this writing, no critical payloads have been observed on the endpoints, thanks to the existing mitigation policy for these behaviors. Trend Micro solutions effectively block this threat from the point of initial access.

While Astaroth might seem like an old banking trojan, its reemergence and continued evolution make it a persistent threat. Beyond stolen data, its impact extends to long-term damage to consumer trust, regulatory fines, and increased costs from business disruption and downtime as well as recovery and remediation.

Water Makara's spear phishing campaign relies on unwitting users clicking on the malicious files, which underscores the critical role of human awareness. Companies should also adopt best practices, such as conducting regular security training, enforcing strong password policies, using multifactor authentication (MFA), keeping security solutions and software updated, and applying the principle of least privilege.

Sharing and Personal Tools

Please select the service you want to use: