This report investigates a watering hole attack on a U.S. apartment website that delivered malware by spoofing a fake browser update. The investigation uncovered dozens of other compromised websites from various industries like healthcare, retail, and consumer sites. The compromised sites loaded malicious scripts from external domains, using techniques like iframes, random variable strings, and insertBefore methods. The malware spoofed Chrome, Mozilla, and Edge browser updates to deliver NetSupport malware. Domain registration analysis revealed the actor utilized various registrars, ISPs, and nameservers, prioritizing volume and speed over operational security. The activity shares similarities with the Socgholish threat group. Author: AlienVault
Related Tags:
browser updates
spoofing
T1557
Thailand
Japan
watering hole
NetSupport
Healthcare
Aerospace
Associated Indicators:
3A8592A08DBED49906E60B66747901FA530D435D1296F8E849097E69EBE026CC
18DF68D1581C11130C139FA52ABB74DFD098A9AF698A250645D6A4A65EFCBF2D
57539C95CBA0986EC8DF0FCDEA433E7C71B724C6
C4F1B50E3111D29774F7525039FF7086
alberta-sl.com
mtpolice2030.com
robotprintmoney.com
jsqur.com
climedballon.org