Water Makara Uses Obfuscated JavaScript in Spear Phishing Campaign, Targets Brazil With Astaroth Malware

    Date: 10/15/2024

    Severity: Critical

    Summary

    Trend Micro Research has detected a notable increase in spear phishing attacks targeting users in Brazil. These emails often disguise harmful ZIP file attachments as personal income tax documents. The threat exploits mshta.exe to run obfuscated JavaScript commands and connect to a C&C server. The campaigns primarily impact Brazilian companies, with manufacturing, retail, and government sectors being the most affected.

    Indicators of Compromise (IOC) List

    Domains\Urls :

    annotmykim.gruposenhordobonfim.io/?2/

    blogonbel84.gruposenhordobonfim.org/?1/

    blogonben.gruposenhordobonfim.org/?1/

    blogonben8.gruposenhordobonfim.org/?1/

    bruconlincol587.luminisconsultoria.io/?3/

    bruncolinc59.lumiscoconsupoltronsia.org/?3/

    claronqual.gruposenhordobonfim.org/?2/

    clindnor.cenithbonfim.net/?2/

    crafer.grupobonfim.net/?5/

    crecil.gruposenhordobonfim.org/?2/

    crgricill.gruposenhordobonfim.net/?3/

    crigonval.gruposenhordobonfim.org/?5/

    crigoval.gruposenhordobonfim.org/?5/

    crigvalbon.gruposenhordobonfim.org/?2/

    dragounzolonoff.ceritbonfim.com/?3/

    dramainco54.groupomonflowsacodonbonsait.io/?2/

    drapunzol.cemiteriobonfim.com/?1/

    drapunzol.cemiteriobonfim.com/?5/

    drocannanbel.veritasinvest.io/?1/

    florvaz.cemisionfinanceinvest.com/?3/

    flovaz138.cemiteriobonfim.com/?3/

    frulinzol.grupobonfim.org/?5/

    gaminqual.soluclaoled.world/?2/

    gramdinlhar.grupobonfim.org/?5/

    graminqual.solucaoled.world/?2/

    grammidhal.gruposenhordobonfim.org/?1/

    htruriz.grupobonfim.net/?3/

    murankel.limpanzin.io/?2/

    plaminel516.gruposenhordobonfim.com/?1/

    planhal.grupobonfim.org/?1/

    planhalconnalminsenior.io/?3/

    plarandiz.gruposenhordobonfim.org/?3/

    plikinvintez371.gruposenhordobonfim.com/?3/

    plikkentin37h.gruposenhordobonfim.com/?3/

    prawinvinbil2.clienteasciendig.world/?2/

    prawinzinbil66.clienteasciendig.world/?2/

    prawinzinbil66.clienteascindig.world/?2/

    pregonfer.gruposenhordobonfim.com/?5/

    prehenninlhar.gruposenhordobonfim.org/?2/

    prenharbisonvirenanal3.plurianbonfim.net/?2/

    prenherninal6v.gruposenhordobonfim.com/?2/

    prepor854.grupobonfim.net/?1/

    prerherningbron38.grupatibonfim.net/?2/

    prisonfinfel.grupobonfim.org/?3/

    pritonggopatrimoniosoberano.world/?5/

    pritongongor.patrimoniosoberano.world/?5/

    rawinzinbil66.clienteascindig.world/?2/

    rigonval.gruposenhordobonfim.org/?5/

    sasanal.gruposenhordobonfim.org/?2/

    scropenpaz.subindometa.world/?1/

    sp.runal.pad.rimonios.oberano.world/?5/

    sprunal.patrimoniosoberano.world/?5/

    spunalu.patrimoniosoberano.world/?5/

    stragir.nexuspatrimonial.city/?3/

    stragiran48xpatrimonianal.city/?3/

    stredenpintal7.sistemapreparatorio.io/?5/

    stredential7.sistemaaproparatorio.io/?5/

    stredential7.sistemapreparatorio.io/?5/

    strehen78zinal.islandofinvolomartyreasurgical.io/?5/

    strehensinvel.jlldobrasil.world/?1/

    stresanal.gruposenhordobonfim.com/?2/

    tibilaniznale7.intyoberbonfim.net/?2/

    titblansuperioniank3.cenithbonfim.net/?3/

    tribenpantrimonianal.cfdauctions.org/?2/

    tripanroncol68.aberturaazulvision.xyz/?5/

    tritanpinvaz.nexuspatrimonial.city/?5/

    tritum.gruposenhordobonfim.org/?5/

    trubenpal.paineira.cfd/?2/

    trugomen.copinasultanbolimansire.io/?2/

    trugonmennil.luminisconsultoria.io/?3/

    trujanel.gruposenhordobonfim.net/?5/

    urnasinvest.yunusgroup.net/?2/

    valcredonlin59.unicicomonsultanlonko.org/?1/

    valentinvest37.patrickbonfim.net/?5/

    vaval.gruposenhordobonfim.net/?5/

    velvinet6.unovetsnahels.org/?3/

    veritasinvestio.io/?1/

    veritasinvestio.io/?3/

    vinherena.sonyofbonfim.net/?3/

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\Urls 1 : 

    userdomainname like "annotmykim.gruposenhordobonfim.io/?2/" or url like "annotmykim.gruposenhordobonfim.io/?2/" or userdomainname like "blogonbel84.gruposenhordobonfim.org/?1/" or url like "blogonbel84.gruposenhordobonfim.org/?1/" or userdomainname like "blogonben.gruposenhordobonfim.org/?1/" or url like "blogonben.gruposenhordobonfim.org/?1/" or userdomainname like "blogonben8.gruposenhordobonfim.org/?1/" or url like "blogonben8.gruposenhordobonfim.org/?1/" or userdomainname like "bruconlincol587.luminisconsultoria.io/?3/" or url like "bruconlincol587.luminisconsultoria.io/?3/" or userdomainname like "bruncolinc59.lumiscoconsupoltronsia.org/?3/" or url like "bruncolinc59.lumiscoconsupoltronsia.org/?3/" or userdomainname like "claronqual.gruposenhordobonfim.org/?2/" or url like "claronqual.gruposenhordobonfim.org/?2/" or userdomainname like "clindnor.cenithbonfim.net/?2/" or url like "clindnor.cenithbonfim.net/?2/" or userdomainname like "crafer.grupobonfim.net/?5/" or url like "crafer.grupobonfim.net/?5/" or userdomainname like "crecil.gruposenhordobonfim.org/?2/" or url like "crecil.gruposenhordobonfim.org/?2/" or userdomainname like "crgricill.gruposenhordobonfim.net/?3/" or url like "crgricill.gruposenhordobonfim.net/?3/" or userdomainname like "crigonval.gruposenhordobonfim.org/?5/" or url like "crigonval.gruposenhordobonfim.org/?5/" or userdomainname like "crigoval.gruposenhordobonfim.org/?5/" or url like "crigoval.gruposenhordobonfim.org/?5/" or userdomainname like "crigvalbon.gruposenhordobonfim.org/?2/" or url like "crigvalbon.gruposenhordobonfim.org/?2/" or userdomainname like "dragounzolonoff.ceritbonfim.com/?3/" or url like "dragounzolonoff.ceritbonfim.com/?3/" or userdomainname like "dramainco54.groupomonflowsacodonbonsait.io/?2/" or url like "dramainco54.groupomonflowsacodonbonsait.io/?2/" or userdomainname like "drapunzol.cemiteriobonfim.com/?1/" or url like "drapunzol.cemiteriobonfim.com/?1/" or userdomainname like "drapunzol.cemiteriobonfim.com/?5/" or url like "drapunzol.cemiteriobonfim.com/?5/" or userdomainname like "drocannanbel.veritasinvest.io/?1/" or url like "drocannanbel.veritasinvest.io/?1/" or userdomainname like "florvaz.cemisionfinanceinvest.com/?3/" or url like "florvaz.cemisionfinanceinvest.com/?3/" or userdomainname like "flovaz138.cemiteriobonfim.com/?3/" or url like "flovaz138.cemiteriobonfim.com/?3/" or userdomainname like "frulinzol.grupobonfim.org/?5/" or url like "frulinzol.grupobonfim.org/?5/" or userdomainname like "gaminqual.soluclaoled.world/?2/" or url like "gaminqual.soluclaoled.world/?2/" or userdomainname like "gramdinlhar.grupobonfim.org/?5/" or url like "gramdinlhar.grupobonfim.org/?5/"

    Domains\Urls 2 :

    userdomainname like "graminqual.solucaoled.world/?2/" or url like "graminqual.solucaoled.world/?2/" or userdomainname like "grammidhal.gruposenhordobonfim.org/?1/" or url like "grammidhal.gruposenhordobonfim.org/?1/" or userdomainname like "htruriz.grupobonfim.net/?3/" or url like "htruriz.grupobonfim.net/?3/" or userdomainname like "murankel.limpanzin.io/?2/" or url like "murankel.limpanzin.io/?2/" or userdomainname like "plaminel516.gruposenhordobonfim.com/?1/" or url like "plaminel516.gruposenhordobonfim.com/?1/" or userdomainname like "planhal.grupobonfim.org/?1/" or url like "planhal.grupobonfim.org/?1/" or userdomainname like "planhalconnalminsenior.io/?3/" or url like "planhalconnalminsenior.io/?3/" or userdomainname like "plarandiz.gruposenhordobonfim.org/?3/" or url like "plarandiz.gruposenhordobonfim.org/?3/" or userdomainname like "plikinvintez371.gruposenhordobonfim.com/?3/" or url like "plikinvintez371.gruposenhordobonfim.com/?3/" or userdomainname like "plikkentin37h.gruposenhordobonfim.com/?3/" or url like "plikkentin37h.gruposenhordobonfim.com/?3/" or userdomainname like "prawinvinbil2.clienteasciendig.world/?2/" or url like "prawinvinbil2.clienteasciendig.world/?2/" or userdomainname like "prawinzinbil66.clienteasciendig.world/?2/" or url like "prawinzinbil66.clienteasciendig.world/?2/" or userdomainname like "prawinzinbil66.clienteascindig.world/?2/" or url like "prawinzinbil66.clienteascindig.world/?2/" or userdomainname like "pregonfer.gruposenhordobonfim.com/?5/" or url like "pregonfer.gruposenhordobonfim.com/?5/" or userdomainname like "prehenninlhar.gruposenhordobonfim.org/?2/" or url like "prehenninlhar.gruposenhordobonfim.org/?2/" or userdomainname like "prenharbisonvirenanal3.plurianbonfim.net/?2/" or url like "prenharbisonvirenanal3.plurianbonfim.net/?2/" or userdomainname like "prenherninal6v.gruposenhordobonfim.com/?2/" or url like "prenherninal6v.gruposenhordobonfim.com/?2/" or userdomainname like "prepor854.grupobonfim.net/?1/" or url like "prepor854.grupobonfim.net/?1/" or userdomainname like "prerherningbron38.grupatibonfim.net/?2/" or url like "prerherningbron38.grupatibonfim.net/?2/" or userdomainname like "prisonfinfel.grupobonfim.org/?3/" or url like "prisonfinfel.grupobonfim.org/?3/" or userdomainname like "pritonggopatrimoniosoberano.world/?5/" or url like "pritonggopatrimoniosoberano.world/?5/" or userdomainname like "pritongongor.patrimoniosoberano.world/?5/" or url like "pritongongor.patrimoniosoberano.world/?5/" or userdomainname like "rawinzinbil66.clienteascindig.world/?2/" or url like "rawinzinbil66.clienteascindig.world/?2/" or userdomainname like "rigonval.gruposenhordobonfim.org/?5/" or url like "rigonval.gruposenhordobonfim.org/?5/" or userdomainname like "sasanal.gruposenhordobonfim.org/?2/" or url like "sasanal.gruposenhordobonfim.org/?2/" or userdomainname like "scropenpaz.subindometa.world/?1/" or url like "scropenpaz.subindometa.world/?1/" or userdomainname like "sp.runal.pad.rimonios.oberano.world/?5/" or url like "sp.runal.pad.rimonios.oberano.world/?5/" or userdomainname like "sprunal.patrimoniosoberano.world/?5/" or url like "sprunal.patrimoniosoberano.world/?5/" or userdomainname like "spunalu.patrimoniosoberano.world/?5/" or url like "spunalu.patrimoniosoberano.world/?5/" or userdomainname like "stragir.nexuspatrimonial.city/?3/" or url like "stragir.nexuspatrimonial.city/?3/"

    Domains\Urls 3 :

    userdomainname like "stragiran48xpatrimonianal.city/?3/" or url like "stragiran48xpatrimonianal.city/?3/" or userdomainname like "stredenpintal7.sistemapreparatorio.io/?5/" or url like "stredenpintal7.sistemapreparatorio.io/?5/" or userdomainname like "stredential7.sistemaaproparatorio.io/?5/" or url like "stredential7.sistemaaproparatorio.io/?5/" or userdomainname like "stredential7.sistemapreparatorio.io/?5/" or url like "stredential7.sistemapreparatorio.io/?5/" or userdomainname like "strehen78zinal.islandofinvolomartyreasurgical.io/?5/" or url like "strehen78zinal.islandofinvolomartyreasurgical.io/?5/" or userdomainname like "strehensinvel.jlldobrasil.world/?1/" or url like "strehensinvel.jlldobrasil.world/?1/" or userdomainname like "stresanal.gruposenhordobonfim.com/?2/" or url like "stresanal.gruposenhordobonfim.com/?2/" or userdomainname like "tibilaniznale7.intyoberbonfim.net/?2/" or url like "tibilaniznale7.intyoberbonfim.net/?2/" or userdomainname like "titblansuperioniank3.cenithbonfim.net/?3/" or url like "titblansuperioniank3.cenithbonfim.net/?3/" or userdomainname like "tribenpantrimonianal.cfdauctions.org/?2/" or url like "tribenpantrimonianal.cfdauctions.org/?2/" or userdomainname like "tripanroncol68.aberturaazulvision.xyz/?5/" or url like "tripanroncol68.aberturaazulvision.xyz/?5/" or userdomainname like "tritanpinvaz.nexuspatrimonial.city/?5/" or url like "tritanpinvaz.nexuspatrimonial.city/?5/" or userdomainname like "tritum.gruposenhordobonfim.org/?5/" or url like "tritum.gruposenhordobonfim.org/?5/" or userdomainname like "trubenpal.paineira.cfd/?2/" or url like "trubenpal.paineira.cfd/?2/" or userdomainname like "trugomen.copinasultanbolimansire.io/?2/" or url like "trugomen.copinasultanbolimansire.io/?2/" or userdomainname like "trugonmennil.luminisconsultoria.io/?3/" or url like "trugonmennil.luminisconsultoria.io/?3/" or userdomainname like "trujanel.gruposenhordobonfim.net/?5/" or url like "trujanel.gruposenhordobonfim.net/?5/" or userdomainname like "urnasinvest.yunusgroup.net/?2/" or url like "urnasinvest.yunusgroup.net/?2/" or userdomainname like "valcredonlin59.unicicomonsultanlonko.org/?1" or url like "valcredonlin59.unicicomonsultanlonko.org/?1" or userdomainname like "valentinvest37.patrickbonfim.net/?5/" or url like "valentinvest37.patrickbonfim.net/?5/" or userdomainname like "vaval.gruposenhordobonfim.net/?5/" or url like "vaval.gruposenhordobonfim.net/?5/" or userdomainname like "velvinet6.unovetsnahels.org/?3/" or url like "velvinet6.unovetsnahels.org/?3/" or userdomainname like "veritasinvestio.io/?1/" or url like "veritasinvestio.io/?1/" or userdomainname like "veritasinvestio.io/?3/" or url like "veritasinvestio.io/?3/" or userdomainname like "vinherena.sonyofbonfim.net/?3/" or url like "vinherena.sonyofbonfim.net/?3/"

    Reference:

    https://www.fortinet.com/blog/threat-research/burning-zero-days-suspected-nation-state-adversary-targets-ivanti-csa


    Tags

    MalwareInformation TechnologyGovernment Services and FacilitiesCritical ManufacturingSpear Phishing

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags