Water Makara Campaign: A Sophisticated Spear-Phishing Attack on Brazilian Enterprises – SOCRadar® Cyber Intelligence Inc.

The Water Makara campaign is a highly sophisticated spear-phishing attack aimed specifically at Brazilian organizations. This operation, driven by obfuscated JavaScript, delivers the Astaroth malware to compromise systems undetected.

An AI illustration of the Water Makara Campaign (DALL-E)

In this campaign, attackers use advanced social engineering techniques such as phishing emails to trick victims into opening malicious links or attachments. Once activated, the malware hijacks critical data and enables further intrusions, posing a severe threat to industries with valuable information, particularly in banking, national security, retail, and manufacturing.

Attack Techniques and Impact of Water Makara Campaign

Water Makara’s deployment of Astaroth malware showcases a multi-layered approach to avoid traditional detection methods.

The malware employs trusted Windows processes to conceal its activity, and fileless execution methods to reduce the chance of being flagged. Once infiltrated, Astaroth can persistently collect sensitive information, including login credentials and personal data, making it a potent data exfiltration tool for cybercriminals.

The campaign predominantly affects Brazilian sectors that handle sensitive information, potentially leading to financial losses and operational disruptions.

The campaign page for Water Makara on SOCRadar XTI platform

Visit the Campaigns section under SOCRadar LABS to explore insights into Water Makara and related threats, and discover how SOCRadar’s XTI platform can support your proactive security efforts.

Mitigation Strategies

Mitigating the impact of the Water Makara campaign requires a robust blend of advanced security measures, user awareness, and proactive monitoring to detect obfuscated and fileless threats.

Below are the recommended mitigation strategies against such cyber threats:

• Limit File and Directory Access: Set strict permissions on critical system directories like ‘C:WindowsSystem32’ to prevent unauthorized access and modifications.
• Automated Quarantine for Suspicious Files: Ensure antivirus or antimalware solutions are configured to automatically quarantine files flagged as suspicious.
• Endpoint Behavior Monitoring: Implement a Host Intrusion Prevention System (HIPS) to block any file executions that display unusual signatures or behaviors.
• Only Allow Verified Executables: Require that only code-signed binaries are allowed to run, ensuring the legitimacy of executables.
• Application Execution Controls: Use application control settings to limit file execution, relying on multiple file attributes rather than just names.
• Disable Unused System Features: Turn off unnecessary components, like shells and scripting tools, which could otherwise be exploited in attacks.
• Content Filtering for Web Access: Employ content filtering solutions to block access to known malicious websites and restrict risky file types.
• Phishing Awareness Training: Conduct regular training sessions to help users recognize phishing tactics, suspicious emails, and malicious links.

Remediation Steps

To effectively respond to Water Makara-related incidents, organizations should take comprehensive remediation steps aimed at detecting and eliminating this campaign’s persistent presence.

• Monitor Command Activity: Keep track of command executions for signs of abnormal behavior, such as unexpected network access or data collection.
• Watch OS API Calls: Observe API calls to functions commonly associated with misuse, such as ‘certutil’ and ‘regsvr32’, which may indicate potential threats.
• Track File Alterations: Detect unauthorized file changes, particularly in system-critical directories, to catch possible malware manipulation early.
• Observe Registry Key Creations: Monitor the Registry for new autostart entries, as these may be used by malware to establish persistence.
• Detect Unusual Module Loads: Flag unexpected module loads that could suggest malicious use of trusted system functions.
• Analyze Application Logs for Network Activity: Review logs for applications initiating unusual network connections, helping to identify irregular or suspicious behavior.

Indicators of Compromise (IoCs) for Water Makara Attacks

The following IoCs are associated with Water Makara, aiding in the identification and isolation of infected systems. Organizations should integrate these indicators into threat intelligence feeds to improve detection:

Hashes linked to the Astaroth malware:

• a1056b744c01b6c02e9f53119eea897a1b99f6f28cbe2fdc5b195a1c985a21c7
• 32b040df94fee99eeff16a631deea7a26c561dba
• 231a0c88a5e6f061c8582d5892daf141
  (Data exfiltration component)
• 539292741fcfda5885313d193341172f
  (C2 communication)
• febad9323e10ec5748842603c6ab9dd2e40c9be1
  (Credential theft module)

IP Addresses:

• 104.238.167.3 (C2)
• 104.238.176.22 (Proxy IP address)

File Paths:

• %APPDATA%LocalTempAstaroth*

Registry Keys:

• HKCUSoftwareMicrosoftWindowsCurrentVersionRunAstarothLoader

Conclusion

As cyber threat actors increasingly target businesses with sophisticated campaigns like Water Makara, relying on phishing and credential theft tactics, early detection and actionable intelligence are vital for a proactive defense.

The Water Makara campaign, leveraging spear-phishing and obfuscated JavaScript to deploy the Astaroth malware, presents a serious risk to organizations, particularly those in Brazil’s critical sectors. Due to its stealthy tactics and fileless techniques, detecting Water Makara requires advanced tools capable of identifying abnormal behaviors and suspicious script execution.

SOCRadar’s Brand Protection services, under the Digital Risk Protection module, offer powerful tools to monitor and protect your digital assets across multiple channels, including black markets, social media, hacker forums, and cloud buckets. Additionally, with capabilities like Phishing Domain Detection, SOCRadar identifies look-alike domains targeting your organization, proactively alerts you to potential scams, and facilitates swift takedown of fraudulent sites.

Through continuous monitoring, SOCRadar helps detect suspicious activities that may threaten your brand’s security. (SOCRadar Digital Risk Protection module)

For organizations seeking to stay ahead of emerging threats, SOCRadar’s Digital Risk Protection module also offers insights into data breaches, compromised credentials, source code leaks, and any sensitive information being traded on the Dark Web through its feature.