In December 2024, the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) reported a watering hole attack targeting a university research laboratory's website in Japan.
In this attack, the compromised website displayed a deceptive Adobe Flash Player update prompt. Unsuspecting visitors who downloaded and executed the suggested update inadvertently installed malware onto their systems. Notably, this method relied on social engineering tactics rather than exploiting software vulnerabilities, highlighting the attackers' strategy to manipulate user behavior.
The downloaded malware, named FlashUpdateInstall.exe, presented a decoy document indicating a successful Adobe Flash Player update. Concurrently, it deployed a secondary malware component, system32.dll, which was injected into the Explorer process using the Early Bird Injection technique. This DLL was identified as a modified version of Cobalt Strike Beacon (version 4.5) with a distinctive watermark of '666666'.
Further investigation revealed that the command and control (C2) server associated with this attack was hosted on Cloudflare Workers, a serverless platform provided by Cloudflare. Additionally, evidence suggested that the same threat actor was involved in other attacks, including distributing malware disguised as official documents from Japan's Ministry of Economy, Trade and Industry.
This incident underscores the persistent threat posed by watering hole attacks and the importance of user vigilance. Users are advised to exercise caution when prompted to download software updates from websites and to verify the legitimacy of such prompts through official channels.
For More Information:
https://blogs.jpcert.or.jp/en/2024/12/watering_hole_attack_part1.html
