Listen to this Post
2024-12-26
Watering Hole Attack with SQRoot Malware Targets Specific Users
This article details a watering hole attack that leverages social engineering to target specific users with SQRoot malware.
Malicious Website with Fake Maintenance Message
The attack begins by compromising a legitimate website. The attackers embed malicious JavaScript code that only targets users with specific accounts. Upon successful login, victims are presented with a fake maintenance message while a malicious LZH archive is automatically downloaded. This archive contains the SQRoot malware disguised as a legitimate decompression tool.
LNK File and VBS Script for Extracting Malware
The downloaded LZH archive contains an LNK file. When executed, the LNK file triggers a VBS script that extracts a ZIP archive from within the LNK file. This ZIP archive contains the actual SQRoot malware (dmiapi32.dll).
SQRoot Malware Hijacks Legitimate Software
The SQRoot malware leverages a legitimate program called iusb3mon.exe to establish a new hidden session named “newimp.” Within this session, SQRoot is dynamically loaded and executed, compromising the system.
SQRoot Downloads Plugins and Steals Information
SQRoot is a modular malware that downloads additional plugins from a command and control (C2) server to expand its functionality. The C2 server communication is encrypted and includes a unique identifier for the infected system. To evade detection, SQRoot only communicates with the C2 server during weekdays between 9 AM and 6 PM.
One of the downloaded plugins is disguised as a music file (BPM). When installed, this plugin encrypts data on the infected system using the RC4 algorithm and communicates with another C2 server during specific hours.
Another plugin, SQRoot Stealer, piggybacks on a legitimate file named nvSmart.exe. Once loaded, SQRoot Stealer injects a malicious DLL file (nvprojects.dll) into nvSmart.exe’s process. This DLL can steal various information from the infected system, including keystrokes, screenshots, and files.
Social Engineering and Potential APT10 Involvement
The attackers used social engineering tactics to lure victims to the compromised website. This highlights the importance of employee awareness training to identify and avoid social engineering attempts.
The use of specific malware filenames in this attack (nvSmart.exe, nvsmartmax.dll, iusb3mon.exe, iusb3mon.dll) has been linked to APT10, a well-known cyberespionage group. While the attackers remain unidentified, this connection suggests potential APT10 involvement.
What Undercode Says:
This watering hole attack demonstrates the evolving tactics of cybercriminals. By compromising legitimate websites and leveraging social engineering, attackers can bypass traditional security measures focused on vulnerabilities. Organizations need to implement a layered security approach that includes:
Employee awareness training: Educate employees on how to identify and avoid social engineering attacks.
Web filtering: Block access to malicious websites.
Endpoint security: Deploy security software that can detect and block malware execution.
Regular security audits: Proactively identify and address vulnerabilities in systems and applications.
By implementing these measures, organizations can significantly reduce the risk of falling victim to watering hole attacks and other social engineering tactics.
In addition to the points mentioned above, it is also important to note that the specific weekdays and times chosen by the SQRoot malware for C2 server communication suggest an attempt to evade detection by mimicking legitimate network traffic patterns. Organizations should be aware of these tactics and consider implementing security solutions that can monitor network traffic for anomalies, regardless of the time of day.
References:
Reported By: Cyberpress.org
https://www.linkedin.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.help
