A Website Attacked

Oct. 16, 2024, 9:49 a.m.

Description

This report investigates a watering hole attack on a U.S. apartment website that delivered malware by spoofing a fake browser update. The investigation uncovered dozens of other compromised websites from various industries like healthcare, retail, and consumer sites. The compromised sites loaded malicious scripts from external domains, using techniques like iframes, random variable strings, and insertBefore methods. The malware spoofed Chrome, Mozilla, and Edge browser updates to deliver NetSupport malware. Domain registration analysis revealed the actor utilized various registrars, ISPs, and nameservers, prioritizing volume and speed over operational security. The activity shares similarities with the Socgholish threat group.

External References

https://www.domaintools.com/resources/blog/a-website-attacked/
https://otx.alienvault.com/pulse/670f879377f69603fe32d425
Tags
malware
netsupport
spoofing
watering hole
2024-10-16
browser updates
compromised websites

Date

  • Created: Oct. 16, 2024, 9:29 a.m.
  • Published: Oct. 16, 2024, 9:29 a.m.
  • Modified: Oct. 16, 2024, 9:49 a.m.

Indicators

  • f4c80753adb721e3b55febeda133f9604e31ed19e234dca63be005e4bf2199a6
  • 3a8592a08dbed49906e60b66747901fa530d435d1296f8e849097e69ebe026cc
  • 18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d
  • 5.181.159.28
  • 5.181.159.137
  • 5.181.156.60
  • 94.158.245.103
  • 173.44.141.66
  • https://waterlinesheet.org/bDrVdw9c
  • https://treegreeny.org/KDJnCSZn
  • https://roadrunnersell.com/trade/fix.php?789
  • https://surelytheme.org/ZcqVjVQ1
  • https://quaryget.org/Gb7XTy3b
  • https://neworderspath.org/k4WP6NP9
  • https://nowordshere.org/bjz1khVv
  • https://libertader.org/YMKhmHVC
  • https://linedloop.org/HLgFVr7h
  • https://lemonicecold.org/cd5fkZwv
  • https://jsqur.com/LK2BnrDQ
  • https://jqueryh.org/7JHjvZgP
  • https://gxsicmj3l.top/cdn-vs/download.php?4372
  • https://greenpapers.org/6gjyRhhQ
  • https://greedyclowns.org/NTPm2fKs
  • https://estafetaofj.top/data.php?14979
  • https://drilledgas.org/dpw79r1k
  • https://dailytickyclock.org/Rz7kFbxJ
  • https://devqeury.org/PZyGWrXw
  • https://climedballon.org/ytW8d9XY
  • https://biggerfun.org/HQn5BKC3
  • https://bigbricks.org/cjpYRFns
  • http://lilygovert91.top/data.php?6889
  • http://dcnvahedforil31.com:3121
  • http://94.158.245.103/fakeurl.htm
  • http://5.181.159.28:443/fakeurl.htm
  • http://5.181.159.28/fakeurl.htm
  • http://5.181.159.137:443/fakeurl.htm
  • http://5.181.156.60/fakeurl.htm
  • http://173.44.141.66/fakeurl.htm
  • route.alberta-sl.com
  • waterlinesheet.org
  • uniquetouniquetechnicalservices.com
  • treegreeny.org
  • theaeroescorts.com
  • surelytheme.org
  • service-f0.com
  • robotprintmoney.com
  • roadrunnersell.com
  • nowordshere.org
  • north-residence.com
  • mtpolice2030.com
  • neworderspath.org
  • linedloop.org
  • lilygovert91.top
  • libertader.org
  • lemonicecold.org
  • jsqur.com
  • jqueryh.org
  • gxsicmj3l.top
  • greedyclowns.org
  • ganharcomblog.com
  • estafetaofj.top
  • drilledgas.org
  • elbied.com
  • devqeury.org
  • climedballon.org
  • chefspavilion.com
  • biggerfun.org
  • bigbricks.org
  • alberta-sl.com
  • dailytickyclock.org
  • greenpapers.org
  • quaryget.org
Download all indicators here!

Attack Patterns

  • NetSupport
  • Socgholish
  • T1557
  • T1564
  • T1543
  • T1195

Additional Informations

  • Aerospace
  • Retail
  • Hospitality
  • Technology
  • Healthcare
  • Thailand
  • Japan
  • United States of America