A watering hole attack was conducted by embedding malicious JavaScript code within a legitimate website, which targeted users with specific accounts by requiring basic authentication.
Upon successful login, the compromised website displayed a maintenance message and automatically initiated the download of an LZH archive containing malware. To assist users in extracting the archive, a link to download the legitimate decompression software Lhaplus was also provided.
The attack leverages an LNK file containing a ZIP archive, which holds malicious code, including a VBS script for extraction and the SQRoot malware (dmiapi32.dll). Upon LNK execution, the VBS script extracts the malware.
The SQRoot malware then utilizes legitimate software, iusb3mon.exe, to establish a new session called “newimp.” Within this session, the SQRoot malware is dynamically loaded and executed, compromising the system.
SQRoot is a malware that downloads plugins from a C2 server to extend its functionality, where the C2 server communication is encrypted using ChaCha20 and includes a unique ID in the User-Agent header and a random string in the x-auth header.
In order to conceal itself as legitimate traffic, it only communicates with the C2 server during the weekdays between the hours of 9:00 and 18:00.
It is a malicious program disguised as a BPM file that is downloaded when the plugin 8015ba282c.tmp is installed, which encrypts data using the RC4 algorithm and communicates with a Command and Control (C2) server during specific hours .
The malware operates by sending HTTP POST requests to the C2 server, containing unique identifiers and commands from a predefined list.
SQRoot Stealer is a malicious program that piggybacks on a legitimate file named nvSmart.exe. Once loaded, SQRoot Stealer injects a DLL file named nvprojects.dll into nvSmart.exe’s process. nvprojects.dll then loads additional plugins (like jtpa_record_4_0.tmp, jtpa_snap_2_0_1.tmp, jtpa_un_cat.tm) to steal information from the infected system.
According to JPCERT/CC, these plugins are capable of carrying out a variety of tasks, such as keylogging, screen capturing, and file transfer.
By leveraging social engineering, it infects targets with malware, bypassing vulnerability-focused security measures, where the attackers compromised a website and installed a Weevely web shell, allowing for remote access and subsequent malware delivery.
While the attack group remains unidentified, the use of specific malware filenames (nvSmart.exe, nvsmartmax.dll, iusb3mon.exe, iusb3mon.dll) previously employed by APT10 suggests potential involvement.
It highlights the critical need for organizations to implement robust defenses against social engineering attacks, including employee awareness training and security measures that go beyond traditional vulnerability management.
