{ "name": "A Website Attacked", "slug": "a-website-attacked", "description": "This report investigates a watering hole attack on a U.S. apartment website that delivered malware by spoofing a fake browser update. The investigation uncovered dozens of other compromised websites from various industries like healthcare, retail, and consumer sites. The compromised sites loaded malicious scripts from external domains, using techniques like iframes, random variable strings, and insertBefore methods. The malware spoofed Chrome, Mozilla, and Edge browser updates to deliver NetSupport malware. Domain registration analysis revealed the actor utilized various registrars, ISPs, and nameservers, prioritizing volume and speed over operational security. The activity shares similarities with the Socgholish threat group.", "published": "2024-10-16T07:29:55+00:00", "created_at": "2024-10-16T07:29:55+00:00", "modified_at": "2024-10-16T07:49:15+00:00", "created_at_opencti": "2024-10-16T07:29:55+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-10-16", "browser updates", "compromised websites", "malware", "netsupport", "spoofing", "watering hole" ], "related_entities": { "observables": [ { "id": "", "name": "5.181.159.28" }, { "id": "", "name": "5.181.159.137" }, { "id": "", "name": "5.181.156.60" }, { "id": "", "name": "94.158.245.103" }, { "id": "", "name": "173.44.141.66" }, { "id": "", "name": "https://waterlinesheet.org/bDrVdw9c" }, { "id": "", "name": "https://treegreeny.org/KDJnCSZn" }, { "id": "", "name": "https://roadrunnersell.com/trade/fix.php?789" }, { "id": "", "name": "https://surelytheme.org/ZcqVjVQ1" }, { "id": "", "name": "https://quaryget.org/Gb7XTy3b" }, { "id": "", "name": "https://neworderspath.org/k4WP6NP9" }, { "id": "", "name": "https://nowordshere.org/bjz1khVv" }, { "id": "", "name": "https://libertader.org/YMKhmHVC" }, { "id": "", "name": "https://linedloop.org/HLgFVr7h" }, { "id": "", "name": "https://lemonicecold.org/cd5fkZwv" }, { "id": "", "name": "https://jsqur.com/LK2BnrDQ" }, { "id": "", "name": "https://jqueryh.org/7JHjvZgP" }, { "id": "", "name": "https://gxsicmj3l.top/cdn-vs/download.php?4372" }, { "id": "", "name": "https://greenpapers.org/6gjyRhhQ" }, { "id": "", "name": "https://greedyclowns.org/NTPm2fKs" }, { "id": "", "name": "https://estafetaofj.top/data.php?14979" }, { "id": "", "name": "https://drilledgas.org/dpw79r1k" }, { "id": "", "name": "https://dailytickyclock.org/Rz7kFbxJ" }, { "id": "", "name": "https://devqeury.org/PZyGWrXw" }, { "id": "", "name": "https://climedballon.org/ytW8d9XY" }, { "id": "", "name": "https://biggerfun.org/HQn5BKC3" }, { "id": "", "name": "https://bigbricks.org/cjpYRFns" }, { "id": "", "name": "http://lilygovert91.top/data.php?6889" }, { "id": "", "name": "http://dcnvahedforil31.com:3121" }, { "id": "", "name": "http://94.158.245.103/fakeurl.htm" }, { "id": "", "name": "http://5.181.159.28:443/fakeurl.htm" }, { "id": "", "name": "http://5.181.159.28/fakeurl.htm" }, { "id": "", "name": "http://5.181.159.137:443/fakeurl.htm" }, { "id": "", "name": "http://5.181.156.60/fakeurl.htm" }, { "id": "", "name": "http://173.44.141.66/fakeurl.htm" }, { "id": "", "name": "route.alberta-sl.com" }, { "id": "", "name": "waterlinesheet.org" }, { "id": "", "name": "uniquetouniquetechnicalservices.com" }, { "id": "", "name": "treegreeny.org" }, { "id": "", "name": "theaeroescorts.com" }, { "id": "", "name": "surelytheme.org" }, { "id": "", "name": "service-f0.com" }, { "id": "", "name": "robotprintmoney.com" }, { "id": "", "name": "roadrunnersell.com" }, { "id": "", "name": "nowordshere.org" }, { "id": "", "name": "north-residence.com" }, { "id": "", "name": "mtpolice2030.com" }, { "id": "", "name": "neworderspath.org" }, { "id": "", "name": "linedloop.org" }, { "id": "", "name": "lilygovert91.top" }, { "id": "", "name": "libertader.org" }, { "id": "", "name": "lemonicecold.org" }, { "id": "", "name": "jsqur.com" }, { "id": "", "name": "jqueryh.org" }, { "id": "", "name": "gxsicmj3l.top" }, { "id": "", "name": "greedyclowns.org" }, { "id": "", "name": "ganharcomblog.com" }, { "id": "", "name": "estafetaofj.top" }, { "id": "", "name": "drilledgas.org" }, { "id": "", "name": "elbied.com" }, { "id": "", "name": "devqeury.org" }, { "id": "", "name": "climedballon.org" }, { "id": "", "name": "chefspavilion.com" }, { "id": "", "name": "biggerfun.org" }, { "id": "", "name": "bigbricks.org" }, { "id": "", "name": "alberta-sl.com" }, { "id": "", "name": "dailytickyclock.org" }, { "id": "", "name": "greenpapers.org" }, { "id": "", "name": "quaryget.org" }, { "id": "", "name": "f4c80753adb721e3b55febeda133f9604e31ed19e234dca63be005e4bf2199a6" }, { "id": "", "name": "3a8592a08dbed49906e60b66747901fa530d435d1296f8e849097e69ebe026cc" }, { "id": "", "name": "18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d" } ], "malware": [ { "id": "legacy:malware:ded3e0a95823a24e", "name": "NetSupport", "slug": "netsupport" } ], "intrusion_sets": [ { "id": "5a51f39e-ced0-4fb1-b026-08c10f5b9895", "name": "Socgholish", "slug": "socgholish" } ], "attack_patterns": [ { "id": "00430919-9257-403b-8a1b-958d4c3613aa", "name": "T1557" }, { "id": "b9a3b4f8-b9c0-4ed8-bf5e-bf759b9804d6", "name": "T1564" }, { "id": "af9ed2e3-4663-4723-beab-c606ddc312e0", "name": "T1543" }, { "id": "358e04b8-6f65-48b2-a24b-f101bfc6671a", "name": "T1195" } ], "others": [ { "id": "", "name": "Thailand" }, { "id": "", "name": "Japan" }, { "id": "", "name": "United States of America" }, { "id": "", "name": "Aerospace" }, { "id": "", "name": "Retail" }, { "id": "", "name": "Hospitality" }, { "id": "", "name": "Technology" }, { "id": "", "name": "Healthcare" } ] }, "external_refs": [ "https://www.domaintools.com/resources/blog/a-website-attacked/", "https://otx.alienvault.com/pulse/670f879377f69603fe32d425" ] }