New Watering Hole Attack That Used Fake Adobe Flash Player Update To Deliver Malware

Cybersecurity threats are increasingly targeting vulnerabilities in publicly exposed assets like VPNs and firewalls, exploited by various actors, including APT groups and ransomware gangs. 

While this focus is understandable, it’s crucial not to neglect traditional attack vectors like phishing emails, malicious websites, and social engineering, as they remain potent tools in the hands of attackers.

The website of a Japanese university research laboratory was compromised in 2023 via a watering hole attack, likely targeting researchers and students, which highlights the vulnerability of academic institutions to cyber threats and the need for robust security measures to protect sensitive research data. 

A attack leverages a compromised website to deceive users into downloading a malicious Adobe Flash Player update, which, disguised as legitimate software, is actually malware that infects the user’s system when executed.

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

The watering hole attack employed social engineering to deceive users into manually downloading and executing malware by manipulating a legitimate website they frequently visited, bypassing traditional vulnerability exploitation methods.

The malware, FlashUpdateInstall.exe, disguises itself as a successful Adobe Flash Player update notification, whose primary function is to install the core malware, system32.dll, which could potentially execute malicious activities on the infected system.

According to JPCERT/CC, a modified system32.dll file, watermarked with 666666 by Cobalt Strike Beacon 4.5, was injected into the Explorer process using Early Bird Injection.

It is leveraging Cloudflare Workers for C2 operations in a watering hole attack, as this group is also associated with other malicious activities, indicating a broader campaign. 

The attacker employed a sophisticated technique involving file name disguise, decoy documents, and malware with customizable options, including stealth mode, anti-analysis disabling, document saving, process injection, and automated execution.

The malware injects a DLL into processes, likely to evade detection, which also terminates specific antivirus processes and employs anti-analysis techniques, such as checking system resource usage and virtual machine environments. 

Details of a suspected Cobalt Strike beacon configuration, where the server communicates with patient-flower-*.nifttymailcom.workers.dev using HTTPS and port 443. 

It injects malicious code likely through a downloaded JavaScript file and uses dllhost.exe as a spawnto process, where the configuration includes user-agent spoofing and retrieves additional resources from the server. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free