Keypoints
- Water Makara delivers the Astaroth banking trojan with new evasion techniques involving obfuscated JavaScript.
- The campaign primarily targets Brazilian enterprises, especially manufacturing, retail, and government sectors.
- Phishing emails impersonate official tax notifications and include ZIP attachments to trick users into opening them.
- Infection chain: ZIP → LNK (or additional file) → Base64-decoded obfuscated JavaScript → mshta.exe executes the decoded script.
- Encoded JavaScript reveals malicious URLs and uses GetObject to invoke a remote method (e.g., “SXSPP29”) to load payloads from C2 servers.
- Command-and-control infrastructure uses patterned domains (e.g., patrimoniosoberano[.]world) with unique subdomains and a /?5/ path, consistent with DGA-style behavior.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – Used to deliver ZIP attachments impersonating tax documents to gain initial access. (‘spear phishing emails with attachments often masquerading as personal income tax documents’)
- [T1204.002] User Execution: Malicious File – Relies on users opening the ZIP and executing the embedded LNK or other files. (‘The ZIP file … contains a malicious LNK file’)
- [T1059.007] Command and Scripting Interpreter: JavaScript – Executes obfuscated and Base64-encoded JavaScript to retrieve and run further components. (‘encoded JavaScript commands, which can be decoded using unescape string’)
- [T1218.005] System Binary Proxy Execution: Mshta – Abuses mshta.exe to run HTML/HTA/JavaScript payloads delivered via the LNK command chain. (‘mshta.exe … to execute obfuscated JavaScript commands’)
- [T1036.008] Masquerading: Masquerade File Type – Uses deceptive file names and common document/video extensions to appear benign. (‘multiple variants or file extensions used, namely, .pdf, .jpg, .png, .gif, .mov, and .mp4’)
- [T1568.002] Command and Control: Domain Generation Algorithms – Uses many similar subdomains and patterned URLs under patrimoniosoberano[.]world to obscure C2 infrastructure. (‘The technique they use is called domain generation algorithm (DGA)’)
Indicators of Compromise
- [Domain] C2 domains and subdomains used to host malicious payloads – patrimoniosoberano[.]world (e.g., pritonggopatrimoniosoberano[.]world, pritongongor[.]patrimoniosoberano[.]world)
- [File name] Malicious archive and embedded shortcuts – IRPF20248328025.zip (example ZIP), embedded LNK file that executes encoded JS
- [File extensions] File types used to disguise payloads – .pdf, .jpg, .png, .gif, .mov, .mp4 (used as decoys or carriers)
- [URL pattern] Encoded JavaScript resolves to HTTP/HTTPS requests with patterned paths – hxxps://*.patrimoniosoberano[.]world/?5/ and similar subdomain variations (and other patterned URLs matching request:/https://.*(.world|.org|.io|.net|.city|.com|.cfd|.xyz)(/?[0-9]/)/)
Water Makara’s technical infection chain begins with a spear phishing email containing a ZIP archive that mimics tax-related documents (e.g., “IRPF…zip”). The archive houses an LNK shortcut and/or an additional file that contains Base64-encoded, heavily obfuscated JavaScript; when the user opens the LNK, it runs a command sequence that spawns cmd.exe and invokes mshta.exe to execute the embedded encoded script.
The encoded JavaScript is decoded (for example with unescape) to reveal a malicious URL and an array variable (e.g., _$_TLEN) that references a function name and the C2 URL. The script attempts to use GetObject to retrieve and invoke a remote object method such as “SXSPP29”; successful execution leads to further payload retrieval and Astaroth establishing C2 communications. Observed URLs follow a patterned structure under patrimoniosoberano[.]world with unique subdomains and a /?5/ path, consistent with automated domain-generation or templated subdomain usage.
For detection and analysis, focus on hunting for: ZIP attachments with tax-themed filenames containing LNK files, command lines that call mshta.exe via cmd.exe with /v:Off /c and encoded payloads, presence of Base64-encoded or escaped JavaScript blocks that decode to GetObject calls, and HTTPS requests to subdomains of patrimoniosoberano[.]world or matching the provided URL regex. These indicators can be used to block initial access and trace C2 callbacks during incident response. Read more: https://www.trendmicro.com/en_us/research/24/j/water-makara-uses-obfuscated-javascript-in-spear-phishing-campai.html