Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV //

Phishing

8/3/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Kaspersky: Spear-Phishing Attacks Target 400 Industrial Companies

The emails in the spear-phishing campaign, which has been going on for months, are disguised as legitimate finance documents that include profiles of the organizations being attacked, according to Kaspersky Labs.

A massive spear-phishing campaign is targeting hundreds of industrial companies primarily in Russia by disguising the emails as legitimate procurement and accounting letters, according to researchers with Kaspersky Lab.

The attacks, which started in October 2017 and are still underway, are aimed at stealing money and data from more than 400 companies in such industries as oil and gas, energy, construction, logistics and metallurgy, the researchers wrote in a post on the company blog.

The cybercriminals behind the attacks, which have been launched at about 800 employee PCs at these companies, took time and effort in targeting the victims, sending out emails that contained content that reflected the activities and profiles of the organizations they were attacking and that took into account the identity of the employee they were sending the email to, including addressing the victims by name.

Example of a bank transfer receipt that is part of the phishing scheme\r\n(Source: Kaspersky)\r\n
Example of a bank transfer receipt that is part of the phishing scheme
\r\n(Source: Kaspersky)\r\n

"Most spear-phishing (crimeware) campaigns are less personalized, as such levels of personalization often used in APT attacks are," Kirill Kruglov, senior research developer for critical infrastructure threat analysis at Kasperky, told Security Now in an email. "It feels like it takes more time/money for threat actors to prepare such an attack … but all the information required for personalization could be collected from public sources such as corporate website(s), social networks, etc., or it could be found on hackers' forums or the dark net. This means it is not much work; a few months is more than enough for threat actors to prepare such attack."

Most of the phishing emails included content that was finance-related and the names of the attachments also were connected to finance, according to the Kaspersky researchers. Many of the emails had attachments; in others, the messages in the emails were meant to entice victims to follow links to external sites and then downloading malicious code from those sites.

Once users clicked on the attachments, modified legitimate software -- such as Seldon 7.1, data analysis software that uses machine-learning techniques -- is discreetly installed on the computer, along with malware components and a legitimate remote administration software, such as TeamViewer or Remote Manipulator System/Remote Utilities (RMS). Through this, the attackers can gain control of the infected systems.

The malware components can come from several malware families, including AZORult, Hallaj PRO Rat and Babylon RAT, and can be used to collect and steal information. The malware includes such capabilities as logging keystrokes, making screenshots, downloading other malicious files, stealing passwords, cryptocurrency wallets and Skype correspondence, conducting distributed denial-of-service (DDoS) attacks and sending users files to a control-and-command server. (See AZORult Downloader Adds Cryptomining, Ransomware Capabilities.)

The attackers also use a number of techniques to mask the infection and the malware's activities, the researchers said.

The goal of the campaign is stealing money from the accounts of the victims' organizations, researchers find. Through the malware, the cybercriminals can do such jobs as examine documents and software related to procurement, financial and accounting operations, analyze the financial and accounting software being used and find banking clients. The attackers also are looking for other ways to commit financial fraud, such as spoofing the bank details that are used to make payments and changing requisites in payment bills to withdraw money.

In addition, if they needed more data or capabilities -- such as obtaining local administrator rights or stealing Microsoft Windows accounts to spread throughout the corporate network -- the bad actors upload other malware, including spyware, more remote administration technologies and tools to exploit operating system vulnerabilities, that is prepared individually for an attack on each victim. They also can download the Mimikatz tool to get data from Windows accounts.

"Apparently, among other methods, the attackers obtain the information they need to perpetrate their criminal activity by analyzing the correspondence of employees at the enterprises attacked," the analysts wrote in the blog. "They may also use the information found in these emails to prepare new attacks -- against companies that partner with the current victim."

They said the attackers are most likely to be a group whose members have a good command of the Russian language, given the text in the phishing emails and the way the bad actors can make changes to organizations' financial data in Russian. In addition, the researchers said the group like targeting industrial companies because the threat awareness and cybersecurity culture in these organizations are not as strong to firms in other sectors, such as financial services and IT.

"Usually employees of industrial companies are less aware of such personalized spear-phishing and other techniques used by criminals," Kruglov said. "The security measures and procedures are also often less mature in industrial companies. But at the same time, threat actors are moving towards the use of legitimate (or semi-legitimate) tools to bypass security measures that makes it much harder to identify the intrusion in a timely manner."

The Kaspersky analyst also said that while it's highly unlikely this particular campaign will spill over to other countries -- it requires attackers to have knowledge of accounting software and procedures, which can differ between countries -- "we could see another campaign (launched by another threat actor) with similar techniques and toolset. The probability of such an event is considerable."

The Kaspersky researchers note that companies need to use security solutions with particular capabilities to detect and blocking phishing attempts and to use security awareness initiatives to educate employees about cybersecurity.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-0652
PUBLISHED: 2021-10-22
In VectorDrawable::VectorDrawable of VectorDrawable.java, there is a possible way to introduce a memory corruption due to sharing of not thread-safe objects. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitati...
CVE-2021-0702
PUBLISHED: 2021-10-22
In RevertActiveSessions of apexd.cpp, there is a possible way to share the wrong file due to an unintentional MediaStore downgrade. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: An...
CVE-2021-0703
PUBLISHED: 2021-10-22
In SecondStageMain of init.cpp, there is a possible use after free due to incorrect shared_ptr usage. This could lead to local escalation of privilege if the attacker has physical access to the device, with no additional execution privileges needed. User interaction is not needed for exploitation.Pr...
CVE-2021-0705
PUBLISHED: 2021-10-22
In sanitizeSbn of NotificationManagerService.java, there is a possible way to keep service running in foreground and keep granted permissions due to Bypass of Background Service Restrictions. This could lead to local escalation of privilege with no additional execution privileges needed. User intera...
CVE-2021-0706
PUBLISHED: 2021-10-22
In startListening of PluginManagerImpl.java, there is a possible way to disable arbitrary app components due to a missing permission check. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersi...