A new wave of spear phishing attack campaigns, known as Water Makara, is targeting Brazil’s manufacturing, retail, and government sectors. The attackers use tax-related emails to deceive recipients into downloading malicious ZIP files that deploy the Astaroth banking trojan, a notorious malware that is designed to steal sensitive information.
The attackers establish connections to command-and-control servers by leveraging obfuscated JavaScript commands and legitimate Windows utilities such as mshta.exe.
The attack begins with a well-crafted phishing email impersonating legitimate entities or government bodies. The email includes a ZIP attachment often named to resemble tax documents, such as ‘IRPF20248328025.zip,’ which refers to ‘Imposto de Renda da Pessoa Fisica (Personal Income Tax).’
Due to the familiarity and importance of tax-related content, many users are tricked into opening the ZIP file. Inside, the LNK file contains encoded JavaScript commands to exploit the user’s system.
Water Makara’s attack chain evolves in tactics, relying on various obfuscation methods to evade detection. The LNK file within the ZIP package includes commands executed via Windows’ command-line interpreter, cmd.exe, and uses mshta.exe to trigger the malicious JavaScript.
This approach allows attackers to exploit legitimate tools stealthily, making detection more difficult.
Researchers discovered the attack’s sophistication using encoded JavaScript, which hides the malicious code that connects to Astaroth’s C&C servers. These servers, identified through domains like ‘patrimoniosoberano[.]world,’ employ a domain generation algorithm (DGA), a tactic used to create multiple URLs to avoid being blocked or blacklisted.
Though Astaroth has been around for years, its continued evolution makes it a persistent threat. The banking trojan steals credentials and poses significant risks to business operations.
Beyond financial losses, organisations affected by this malware face long-term damage to their reputations, potential regulatory fines, and the costly process of recovering from business disruptions.
Despite these dangers, researchers’ ongoing monitoring has yet to detect any critical payloads.
Researchers urged organisations to conduct security awareness training to help employees recognise phishing attempts, enforce strong password policies, and implement multi-factor authentication (MFA) to counter spear phishing campaigns like Water Makara. Organisations should also apply the principle of least privilege and keep the operating system updated.
“Water Makara’s spear phishing campaign relies on unwitting users clicking on the malicious files, which underscores the critical role of human awareness. Companies should also adopt best practices, such as conducting regular security training, enforcing strong password policies, using multifactor authentication (MFA), keeping security solutions and software updated, and applying the principle of least privilege,” researchers concluded.
In September 2024, a Chinese man stole NASA’s source code using spear phishing. Similarly, cyber crooks exploited HTTP headers in massive phishing campaigns.
The cryptocurrency sector also suffered from phishing attacks. In August, East Asian APT group UTG-Q-010 targeted cryptocurrency enthusiasts to deploy PuppyRAT.
In the News: Internet Archive back online in read-only mode after DDoS attacks
