Campaigns
Water Makara Campaign: Spear-Phishing and Astaroth Malware Infiltrate Brazilian Enterprises

Water Makara Campaign: Spear-Phishing and Astaroth Malware Infiltrate Brazilian Enterprises

Astaroth MalwarePhishing CampaignBrazilian OrganizationsInformation Stealing
The Water Makara cyber campaign is a highly advanced spear-phishing operation aimed at organizations in Brazil. It uses obfuscated JavaScript to spread the dangerous Astaroth malware, which is specifically crafted to evade detection by traditional security systems. By employing social engineering tactics, attackers deceive victims into clicking on malicious links or attachments in phishing emails. Once the malicious code runs, it activates Astaroth, enabling cybercriminals to steal valuable data and carry out further attacks. This campaign is notable for its focused targeting of Brazilian institutions, employing sophisticated methods to bypass defenses and compromise critical systems.

Indicators of Compromise

No domains found for this campaign

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION

T1036 - Masquerading

ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. [52]

Note: For Windows, Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on potential Masquerading.

DS0022

File

File Metadata

Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters"\u202E", "[U+202E]", and "%E2%80%AE".

Check and ensure that file headers/signature and extensions match using magic bytes detection and/or file signature validation.[53] In Linux, the file command may be used to check the file signature.[54]



File Modification

Monitor for changes made to files outside of an update or patch that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Windows Event ID 4663 (An Attempt Was Made to Access An Object) can be used to alert on attempted file accesses that may be associate with Masquerading.

DS0007

Image

Image Metadata

Collecting disk and resource filenames for binaries, comparing that the InternalName, OriginalFilename, and/or ProductName match what is expected, could provide useful leads but may not always be indicative of malicious activity. [55]

DS0009

Process

OS API Execution

Monitor for API calls such as fork() which can be abused to masquerade or manipulate process metadata.



Process Creation

Monitor for newly executed processes that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. The RECYCLER and SystemVolumeInformation directories will be present on every drive. Replace %systemroot% and %windir% with the actual paths as configured by the endpoints.

Analytic 1 - Suspicious Run Locations

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND ( Image=":\RECYCLER*" OR Image=":\SystemVolumeInformation*" OR Image="%windir%\Tasks*" OR Image="%systemroot%\debug*")



Process Metadata

Monitor for file names that are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled.

DS0003

Scheduled Job

Scheduled Job Metadata

Monitor for contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.

On Windows, Event ID 4698 (Security Log - A scheduled task was created) can be used to alert on the creation of scheduled tasks and provides metadata including the task name and task content (as XML).

On Linux, auditing frameworks such as the Linux Auditing System (auditd) can be used to alert on invocations of cron, and provides the metadata included when executing the command.



Scheduled Job Modification

Monitor for changes made to scheduled jobs that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.

DS0019

Service

Service Creation

Monitor for newly constructed services/daemons that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.



Service Metadata

Monitor for contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.


T1059 - Command and Scripting Interpreter

ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used.

DS0011

Module

Module Load

Monitor for events associated with scripting execution, such as the loading of modules associated with scripting languages (ex: JScript.dll or vbscript.dll).

DS0009

Process

Process Creation

Monitor log files for process execution through command-line and scripting activities. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.



Process Metadata

Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner, or other information that may reveal abuse of system features. For example, consider monitoring for Windows Event ID (EID) 400, which shows the version of PowerShell executing in the EngineVersion field (which may also be relevant to detecting a potential Downgrade Attack) as well as if PowerShell is running locally or remotely in the HostName field. Furthermore, EID 400 may indicate the start time and EID 403 indicates the end time of a PowerShell session.[52]

DS0012

Script

Script Execution

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.


T1204 - User Execution

ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

Monitor for third-party application logging, messaging, and/or other artifacts that may rely upon specific actions by a user in order to gain execution.

DS0017

Command

Command Execution

Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads.

DS0032

Container

Container Creation

Monitor for newly constructed containers that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.



Container Start

Monitor for the activation or invocation of a container (ex: docker start or docker restart)

DS0022

File

File Creation

Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).

DS0007

Image

Image Creation

Monitor for newly constructed image that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.

DS0030

Instance

Instance Creation

Monitor for newly constructed instances that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.



Instance Start

Monitor for the activation or invocation of an instance (ex: instance.start within GCP Audit Logs)

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed web-based network connections that are sent to malicious or suspicious destinations (e.g. destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g. monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, .SCF, HTA, MSI, DLLs, or msiexec.exe).



Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated with web-based network connections that are sent to malicious or suspicious detinations (e.g. destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g. monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, .SCF, HTA, MSI, DLLs, or msiexec.exe).

DS0009

Process

Process Creation

Monitor for newly executed processes that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads.


T1218 - System Binary Proxy Execution

ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may forge credential materials that can be used to gain access to web applications or Internet services.

DS0022

File

File Creation

Monitor for file activity (creations, downloads, modifications, etc.), especially for file types that are not typical within an environment and may be indicative of adversary activity.

DS0011

Module

Module Load

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

DS0009

Process

OS API Execution

Monitor for API calls that bypass process and/or signature based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries.



Process Creation

Monitor processes and command-line parameters for signed binaries that may be used to proxy execution of malicious files. Compare recent invocations of signed binaries that may be used to proxy execution with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Legitimate programs used in suspicious ways, like msiexec.exe downloading an MSI file from the Internet, may be indicative of an intrusion. Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.

DS0024

Windows Registry

Windows Registry Key Modification

Monitor for changes made to Windows Registry keys and/or values that may forge credential materials that can be used to gain access to web applications or Internet services.


T1566 - Phishing

ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

Monitor for third-party application logging, messaging, and/or other artifacts that may send phishing messages to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[14][15] URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.

Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers. Correlate these records with system events.

DS0022

File

File Creation

Monitor for newly constructed files from a phishing messages to gain access to victim systems.

DS0029

Network Traffic

Network Traffic Content

Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[14][15]



Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.


T1568 - Dynamic Resolution

ID

Data Source

Data Component

Detects

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts.



Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).



Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.


T1547 - Boot or Logon Autostart Execution

ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.

DS0027

Driver

Driver Load

Monitor for unusual kernel driver installation activity that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.

DS0022

File

File Creation

Monitor for newly constructed files that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.



File Modification

Monitor for changes made to files that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.

DS0008

Kernel

Kernel Module Load

Monitor for unusual kernel driver installation activity that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.

DS0011

Module

Module Load

Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL.

DS0009

Process

OS API Execution

Monitor for API calls that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.



Process Creation

Suspicious program execution as autostart programs may show up as outlier processes that have not been seen before when compared against historical data to increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

DS0024

Windows Registry

Windows Registry Key Creation

Monitor for additions of mechanisms that could be used to trigger autostart execution, such as relevant additions to the Registry.



Windows Registry Key Modification

Monitor for modifications of mechanisms that could be used to trigger autostart execution, such as relevant additions to the Registry.


Observed Countries1

BR (97)