In a recent discovery by researchers at Trend Micro, a new wave of phishing attacks targeting users in Brazil has been identified. These attacks involve the use of the Trojan Astaroth, a notorious infostiller of banking data, in a phishing campaign named Water Makara.
The modus operandi of the criminals behind these attacks involves sending emails containing malicious files disguised as tax documents. These files are stored in ZIP archives and trigger malicious JavaScript scripts when opened through “mshta.exe”. The primary targets of these attacks are companies across various sectors in Brazil, including industrial, retail, and governmental institutions.
One of the key tactics employed in these phishing attacks is the use of obfuscated JavaScript for executing hidden commands. This technique helps the attackers evade detection and establish a connection with a control server for carrying out further malicious actions.
The ZIP archives distributed in these attacks also contain LNK files with embedded malicious commands. Upon execution, these files initiate the JavaScript, which then downloads harmful payloads from the attackers’ servers. Researchers observed that the attackers utilize a variety of file formats such as PDF, JPEG, MP4, and GIF to bypass security measures.
The ultimate goal of these attacks is to steal sensitive data from users, particularly financial information for gaining access to banking systems. Despite the long-standing presence of ASTAROTH in the cyber threat landscape, its continual evolution poses a significant risk to users.
To protect against such threats, experts from Trend Micro advise implementing modern security practices, including regular software updates, multifactor authentication, and comprehensive training programs to educate employees on cybersecurity awareness.