Water Makara: New Phishing Wave Targets Brazil with Astaroth Trojan

Researchers at Trend Micro have identified a new wave of phishing attacks targeting users in Brazil. Cybercriminals are employing the Astaroth trojan, notorious for stealing banking information, as part of a phishing campaign dubbed Water Makara.

The attackers distribute emails with attached files disguised as tax documents. These emails contain ZIP archives that, when executed through the “mshta.exe” utility, activate malicious JavaScript scripts.

The primary targets of this campaign include companies across various sectors in Brazil, including industry, retail, and government institutions. The malware is propagated through social engineering tactics, tricking victims into downloading archives containing malicious files masquerading as tax documents.

A critical element of the attack is the use of obfuscated JavaScript to execute commands covertly. This technique aids the criminals in evading detection and establishing a connection with a command-and-control server for further actions.

The ZIP archives contain LNK files with embedded malicious commands. Once launched, these files activate JavaScript, which downloads malicious objects from the attackers’ servers. Researchers have observed that this campaign employs various file formats, ranging from PDF and JPEG to MP4 and GIF, helping the hackers bypass security mechanisms.

The main objective of the attack is to harvest users’ confidential data, including credentials for accessing banking systems. Although Astaroth has been known in the cyber threat landscape for some time, its ongoing evolution makes this trojan particularly dangerous.

To combat this threat, Trend Micro experts recommend adopting modern security practices, including regularly updating software, implementing multi-factor authentication, and educating employees on cybersecurity issues.