A Website Attacked

Oct. 16, 2024, 9:49 a.m.

Tags
malware
netsupport
spoofing
watering hole
2024-10-16
browser updates
compromised websites
External References
Description

This report investigates a watering hole attack on a U.S. apartment website that delivered malware by spoofing a fake browser update. The investigation uncovered dozens of other compromised websites from various industries like healthcare, retail, and consumer sites. The compromised sites loaded malicious scripts from external domains, using techniques like iframes, random variable strings, and insertBefore methods. The malware spoofed Chrome, Mozilla, and Edge browser updates to deliver NetSupport malware. Domain registration analysis revealed the actor utilized various registrars, ISPs, and nameservers, prioritizing volume and speed over operational security. The activity shares similarities with the Socgholish threat group.

Date

Published: Oct. 16, 2024, 9:29 a.m.

Created: Oct. 16, 2024, 9:29 a.m.

Modified: Oct. 16, 2024, 9:49 a.m.

Indicators

f4c80753adb721e3b55febeda133f9604e31ed19e234dca63be005e4bf2199a6

3a8592a08dbed49906e60b66747901fa530d435d1296f8e849097e69ebe026cc

18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

5.181.159.28

5.181.159.137

5.181.156.60

94.158.245.103

173.44.141.66

https://waterlinesheet.org/bDrVdw9c

https://treegreeny.org/KDJnCSZn

https://roadrunnersell.com/trade/fix.php?789

https://surelytheme.org/ZcqVjVQ1

https://quaryget.org/Gb7XTy3b

https://neworderspath.org/k4WP6NP9

https://nowordshere.org/bjz1khVv

https://libertader.org/YMKhmHVC

https://linedloop.org/HLgFVr7h

https://lemonicecold.org/cd5fkZwv

https://jsqur.com/LK2BnrDQ

https://jqueryh.org/7JHjvZgP

https://gxsicmj3l.top/cdn-vs/download.php?4372

https://greenpapers.org/6gjyRhhQ

https://greedyclowns.org/NTPm2fKs

https://estafetaofj.top/data.php?14979

https://drilledgas.org/dpw79r1k

https://dailytickyclock.org/Rz7kFbxJ

https://devqeury.org/PZyGWrXw

https://climedballon.org/ytW8d9XY

https://biggerfun.org/HQn5BKC3

https://bigbricks.org/cjpYRFns

http://lilygovert91.top/data.php?6889

http://dcnvahedforil31.com:3121

http://94.158.245.103/fakeurl.htm

http://5.181.159.28:443/fakeurl.htm

http://5.181.159.28/fakeurl.htm

http://5.181.159.137:443/fakeurl.htm

http://5.181.156.60/fakeurl.htm

http://173.44.141.66/fakeurl.htm

Download all indicators here!

Attack Patterns

NetSupport

Socgholish

T1557

T1564

T1543

T1195

Additional Informations

Aerospace

Retail

Hospitality

Technology

Healthcare

Thailand

Japan

United States of America