This report investigates a watering hole attack on a U.S. apartment website that delivered malware by spoofing a fake browser update. The investigation uncovered dozens of other compromised websites from various industries like healthcare, retail, and consumer sites. The compromised sites loaded malicious scripts from external domains, using techniques like iframes, random variable strings, and insertBefore methods. The malware spoofed Chrome, Mozilla, and Edge browser updates to deliver NetSupport malware. Domain registration analysis revealed the actor utilized various registrars, ISPs, and nameservers, prioritizing volume and speed over operational security. The activity shares similarities with the Socgholish threat group. Author: AlienVault
Related Tags:
browser updates
spoofing
T1557
Thailand
Japan
watering hole
NetSupport
Healthcare
Aerospace
Associated Indicators:
18DF68D1581C11130C139FA52ABB74DFD098A9AF698A250645D6A4A65EFCBF2D
F4C80753ADB721E3B55FEBEDA133F9604E31ED19E234DCA63BE005E4BF2199A6
3A8592A08DBED49906E60B66747901FA530D435D1296F8E849097E69EBE026CC
57539C95CBA0986EC8DF0FCDEA433E7C71B724C6
C4F1B50E3111D29774F7525039FF7086
quaryget.org
greenpapers.org
dailytickyclock.org
alberta-sl.com