Watering Hole Attack Targets EmEditor Users with Information-Stealing Malware

MITRE Techniques

• [T1195 ] Supply Chain Compromise – Used to deliver a modified EmEditor installer to victims via the official download page (‘downloaded from the website of EmEditor. The package (an .MSI file) is modified…’).
• [T1059.001 ] Command and Scripting Interpreter: PowerShell – Installer spawns PowerShell to retrieve first-stage code and execute obfuscated scripts (‘spawn a PowerShell command to retrieve its first-stage code’).
• [T1105 ] Ingress Tool Transfer – Payload retrieval from external URLs using Invoke-WebRequest to fetch follow-on scripts (‘the URLs are executed through the Invoke-WebRequest (IWR) method’).
• [T1555.002 ] Credentials from Password Stores: Windows Credential Manager – Malware accesses the Windows Credential Manager to harvest stored credentials (‘how it accesses the Credential Manager’).
• [T1562.001 ] Impair Defenses: Disable or Modify Tools – Malware disables PowerShell Event Tracing for Windows (ETW) to reduce detection (‘Disable PowerShell Event Tracing for Windows (ETW)’).
• [T1041 ] Exfiltration Over C2 Channel – Collected information is sent to a command-and-control server at cachingdrive[.]com for reporting and exfiltration (‘The malware sends all collected information to its C&C server at: hxxps://cachingdrive[.]com/gate/init/2daef8cd.’).
• [T1012 ] Query Registry – Malware reads registry entries to check for installed security applications (‘Registry checking (for security applications)’).
• [T1057 ] Process Discovery – Malware detects running processes to identify installed security software (‘Process detection (identify the security software installed in the system)’).
• [T1113 ] Screen Capture – Malware takes screenshots of the victim system as part of data collection (‘Taking screenshots’).
• [T1497 ] Virtualization/Sandbox Evasion – Malware includes anti-virtualization checks to detect and evade sandbox or VM environments (‘Anti-virtualization’).