A new phishing campaign targeting Brazil has been discovered to be delivering banking malware called Astaroth (aka Guildma) using obfuscated JavaScript to slip past security fences.
“The impact of the phishing campaign affected a variety of industries, with manufacturing companies, retail firms, and government agencies the most affected,” Trend Micro said in a new analysis.
“Malicious emails often mimic official tax documents, using the urgency of personal income tax returns to trick users into downloading malware.”
A cyber security company tracks a cluster of threat activity called Water Makara. It should be noted that Google’s Threat Analysis Group (TAG) assigned the alias PINEAPPLE to a similar intrusion kit delivering the same malware to Brazilian users.
Both of these campaigns have in common that they start with phishing messages impersonating official organizations such as the Receita Federal and aim to get recipients to download a ZIP archive disguised as income tax documents.
The malicious ZIP file contains a Windows shortcut (LNK) that exploits mshta.exe, a legitimate utility designed to run HTML application files, execute obfuscated JavaScript commands, and establish connections to the management server (C2).
“For now Astaroth may appear to be an old banking Trojan, but its re-emergence and continued evolution make it a constant threat,” the researchers said.
“In addition to stolen data, the impact extends to long-term damage to consumer confidence, regulatory fines, and increased costs due to business disruptions and downtime, as well as recovery and remediation.”
To reduce the risk posed by such attacks, it is recommended to implement strong password policies, use multi-factor authentication (MFA), constantly update security solutions and software, and apply the principle of least privilege (PoLP).
