Perimeter

12/10/2014
01:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

'Inception' Cyber Espionage Campaign Targets PCs, Smartphones

Blue Coat report details sophisticated attacks mainly against Russian targets, and Kaspersky Lab calls new campaign next-generation of Red October cyber spying operation.

An international group of criminals, dubbed "Inception" by the security firm that uncovered them, has been carrying out a sophisticated cyber espionage campaign directed primarily at companies in Russia or with interests in that country.

Targets of the group’s campaign include top executives in companies from the oil, finance, and engineering sectors, as well as military, government, and embassy officials from several countries, security firm Blue Coat Labs said in a report released Wednesday. Companies in Russia, Romania, Venezuela, and Mozambique and embassies and diplomatic offices in Paraguay, Romania, and Turkey have been hit by the group’s expanding campaign.

The operational security, code samples, obfuscation tactics, and misdirection used by members of Operation Inception are among the most sophisticated that Blue Coat has observed, says Waylon Grange, senior malware researcher with Blue Coat. Also interesting is its use of malware tools targeting Android, iOS, and BlackBerry mobile devices, he says.

Kaspersky Lab, meanwhile, today said Inception appears to be a new version of Red October. In a blog post today, Kaspersky dubbed the campaign as Cloud Atlas. “Just like with Red October, the top target of Cloud Atlas is Russia, followed closely by Kazakhstan, according to data from the Kaspersky Security Network (KSN),” the company said. Companies in Belarus, Kazakhstan, and India also appear to be major targets.

“Actually, we see an obvious overlap of targets between the two, with subtle differences which closely account for the geopolitical changes in the region that happened during the last two years,” Kaspersky said.

The group behind Inception typically uses malware embedded in Rich Text Format (RTF) files to infect victim PCs and notebooks, Blue Coat said. The malware is delivered via highly customized spear phishing emails with an attached Trojanized Word document containing the malware.

When an unsuspecting victim clicks on the attachment, it opens the expected Word document to avoid raising any red flags. But in the background, the malware exploits a previously known RTF vulnerability to drop two small pieces of code to disk and open a communication link with command-and-control accounts hosted by a free version of Swedish hosting service CloudMe.

Inception exploit container
(Source: Blue Coat)
(Source: Blue Coat)

The attackers have recently started using Multimedia Messaging Service (MMS) and SMS to send phishing texts and other bait to Android, BlackBerry, and iOS devices belonging to targeted individuals. Blue Coat believes the group has infiltrated the networks of at least 60 providers of mobile services around the world.

“Unusual for many exploit campaigns, the names of the dropped files vary and have been clearly randomized in order to avoid detection by name,” Blue Coat said in its report.

Once on a system, the malware gathers information such as the operating system version, computer name, user name, and local IDs, as well as system drive and volume information. All the data that is collected is encrypted and sent to a cloud account via the Web Distributed Authoring and Versioning (WebDAV) format in an apparent attempt to avoid detection by anti-malware tools, the report noted.

“The framework is designed in such a way that all communication after malware infection (i.e. target surveying, configuration updates, malware updates, and data exfiltration) can be performed via the cloud service,” Blue Coat said in its report. Interestingly, each infected machine communicates with its own command-and-control account on the hosted cloud service.

What makes the campaign remarkable is the extent to which the attackers have gone to hide their tracks, Grange says.

The malware, for example, appears designed to know when it is running in a sandboxed environment or has been detected by a security tool. In such instances, it drops a decoy payload, like a previously known advanced persistent threat used by a Chinese group, to try and throw investigators off track, he says. Most of the malicious code executes in memory, and very little is actually written to disk, making the code very hard to detect.

Masking their true identity
The malicious files and code used in the Operation Inception campaign have names and other hints that appear deliberately designed to confuse people about the group and its affiliations.

For instance, some of the comments used in the Android malware are in Hindi, suggesting ties to India; some documents are titled in Spanish, hinting at a Spanish connection; while some strings used in the BlackBerry malware used by the group are in Arabic, pointing to a Middle Eastern link.

Many of the files and data stolen from compromised systems have been stored on CloudMe, a Swedish hosting service that the group has been using as its primary command-and-control infrastructure. The attackers appear to be most active from 8:00 a.m. to 5:00 p.m. in the Eastern Europe time zone, suggesting they are based in that region, though that could be a deliberate ploy to confound investigators as well, Grange says. “They have intentionally put a lot of red herrings in their code and their procedures,” he says, which makes it difficult to say where the group is from or what they are after.

The manner in which the attackers actually communicate with compromised systems belonging to their targets also makes them very hard to track down. The group appears to have taken control of numerous poorly configured home routers in South Korea, which they use to communicate with accounts hosted on CloudMe, which in turn are used to communicate with and task the compromised systems.

Blue Coat has observed the attackers using at least 100 compromised home routers to communicate with their command-and-control infrastructure on CloudMe, Grange says. The system appears set up in such a manner that the routers that are used to talk to the cloud services changes every hour.

“We have seen malware use the cloud before. But never before have seen anyone go to this much trouble,” to hide tracks, he says.

Since July when Blue Coat first started tracking Operation Inception, the group has sent at least 9,000 "tasking" requests to systems that it has managed to break into. The attackers have used the requests to pull information from the compromised systems. While at least some of the information is device-related, it is hard to say what other data the attackers have extracted from their victims, according to Grange.

The Word documents used in the malware campaign resemble those used in the "Rocra" or Red October campaign, Grange notes. First uncovered by Kaspersky Labs in October 2012, the Red October campaign targeted companies in critical sectors in various countries in East Europe and Asia. The group is believed to have extracted terabytes worth of days from computers, mobile phones, and other devices. It was shut down after Kaspersky went live with the details of the operation in January 2013. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Stratustician
50%
50%
Stratustician,
User Rank: Moderator
12/10/2014 | 2:57:00 PM
Another wave of threats, what else is new...
It's increasingly worrisome to see how advanced some of these attacks get, whereby they can even drop payloads if it thinks they have been found by internal security systems.  On top of this, with not enough enterprises properly protecting smartphone devices aside from loss protection and remote wipe, these attacks can definitely be assumed to cause significant potential damage to internal systems.  Great news to see that these threats are getting better detection and insight to help provide tools to protect users and businesses from these risks.
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.