Recent security incidents have highlighted the increasing exploitation of vulnerabilities in publicly exposed assets like VPNs and firewalls, where targeted attacks, including watering hole attacks, remain a persistent danger.
In 2023, a Japanese university research laboratory’s website was compromised, demonstrating the ongoing risk of such attacks, which underscores the need for comprehensive security measures that address various attack vectors, including those targeting web applications and infrastructure.
A compromised website will display a fake Adobe Flash Player update notification as part of the watering hole attack, which is a form of social engineering that is used to compromise user systems.
When an individual is deceived into downloading and running a malicious file, their computer system is infected with the malicious software.
The attack bypasses traditional vulnerability exploitation by directly manipulating user behavior, highlighting the importance of user awareness and caution when interacting with online content.
The attackers deployed a malicious executable, FlashUpdateInstall.exe, which, upon execution, displayed a deceptive message suggesting a successful Adobe Flash Player update.
In reality, the malware silently created and injected a modified system32.dll into the Explorer process, which is a Cobalt Strike Beacon variant, was watermarked with “666666” and enabled remote control over the compromised system.
The unknown attacker group employed a multi-faceted approach, leveraging Cloudflare Workers for C2 infrastructure and deploying various malware strains.
According to the JPCERT/CC, the use of malicious files that were disguised as legitimate documents, such as those from the Ministry of Economy, Trade, and Industry, was a notable strategy that was employed.
Anti-analysis measures, such as process and memory checks, as well as the detection of virtual environments, were incorporated by the attacker, who also utilized DLL injection practices.
