Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV //

Phishing

8/3/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Kaspersky: Spear-Phishing Attacks Target 400 Industrial Companies

The emails in the spear-phishing campaign, which has been going on for months, are disguised as legitimate finance documents that include profiles of the organizations being attacked, according to Kaspersky Labs.

A massive spear-phishing campaign is targeting hundreds of industrial companies primarily in Russia by disguising the emails as legitimate procurement and accounting letters, according to researchers with Kaspersky Lab.

The attacks, which started in October 2017 and are still underway, are aimed at stealing money and data from more than 400 companies in such industries as oil and gas, energy, construction, logistics and metallurgy, the researchers wrote in a post on the company blog.

The cybercriminals behind the attacks, which have been launched at about 800 employee PCs at these companies, took time and effort in targeting the victims, sending out emails that contained content that reflected the activities and profiles of the organizations they were attacking and that took into account the identity of the employee they were sending the email to, including addressing the victims by name.

"Most spear-phishing (crimeware) campaigns are less personalized, as such levels of personalization often used in APT attacks are," Kirill Kruglov, senior research developer for critical infrastructure threat analysis at Kasperky, told Security Now in an email. "It feels like it takes more time/money for threat actors to prepare such an attack … but all the information required for personalization could be collected from public sources such as corporate website(s), social networks, etc., or it could be found on hackers' forums or the dark net. This means it is not much work; a few months is more than enough for threat actors to prepare such attack."

Most of the phishing emails included content that was finance-related and the names of the attachments also were connected to finance, according to the Kaspersky researchers. Many of the emails had attachments; in others, the messages in the emails were meant to entice victims to follow links to external sites and then downloading malicious code from those sites.

Once users clicked on the attachments, modified legitimate software -- such as Seldon 7.1, data analysis software that uses machine-learning techniques -- is discreetly installed on the computer, along with malware components and a legitimate remote administration software, such as TeamViewer or Remote Manipulator System/Remote Utilities (RMS). Through this, the attackers can gain control of the infected systems.

The malware components can come from several malware families, including AZORult, Hallaj PRO Rat and Babylon RAT, and can be used to collect and steal information. The malware includes such capabilities as logging keystrokes, making screenshots, downloading other malicious files, stealing passwords, cryptocurrency wallets and Skype correspondence, conducting distributed denial-of-service (DDoS) attacks and sending users files to a control-and-command server. (See AZORult Downloader Adds Cryptomining, Ransomware Capabilities.)

The attackers also use a number of techniques to mask the infection and the malware's activities, the researchers said.

The goal of the campaign is stealing money from the accounts of the victims' organizations, researchers find. Through the malware, the cybercriminals can do such jobs as examine documents and software related to procurement, financial and accounting operations, analyze the financial and accounting software being used and find banking clients. The attackers also are looking for other ways to commit financial fraud, such as spoofing the bank details that are used to make payments and changing requisites in payment bills to withdraw money.

In addition, if they needed more data or capabilities -- such as obtaining local administrator rights or stealing Microsoft Windows accounts to spread throughout the corporate network -- the bad actors upload other malware, including spyware, more remote administration technologies and tools to exploit operating system vulnerabilities, that is prepared individually for an attack on each victim. They also can download the Mimikatz tool to get data from Windows accounts.

"Apparently, among other methods, the attackers obtain the information they need to perpetrate their criminal activity by analyzing the correspondence of employees at the enterprises attacked," the analysts wrote in the blog. "They may also use the information found in these emails to prepare new attacks -- against companies that partner with the current victim."

They said the attackers are most likely to be a group whose members have a good command of the Russian language, given the text in the phishing emails and the way the bad actors can make changes to organizations' financial data in Russian. In addition, the researchers said the group like targeting industrial companies because the threat awareness and cybersecurity culture in these organizations are not as strong to firms in other sectors, such as financial services and IT.

"Usually employees of industrial companies are less aware of such personalized spear-phishing and other techniques used by criminals," Kruglov said. "The security measures and procedures are also often less mature in industrial companies. But at the same time, threat actors are moving towards the use of legitimate (or semi-legitimate) tools to bypass security measures that makes it much harder to identify the intrusion in a timely manner."

The Kaspersky analyst also said that while it's highly unlikely this particular campaign will spill over to other countries -- it requires attackers to have knowledge of accounting software and procedures, which can differ between countries -- "we could see another campaign (launched by another threat actor) with similar techniques and toolset. The probability of such an event is considerable."

The Kaspersky researchers note that companies need to use security solutions with particular capabilities to detect and blocking phishing attempts and to use security awareness initiatives to educate employees about cybersecurity.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20001
PUBLISHED: 2020-08-04
An issue was discovered in RICOH Streamline NX Client Tool and RICOH Streamline NX PC Client that allows attackers to escalate local privileges.
CVE-2020-15467
PUBLISHED: 2020-08-04
The administrative interface of Cohesive Networks vns3:vpn appliances before version 4.11.1 is vulnerable to authenticated remote code execution leading to server compromise.
CVE-2020-5615
PUBLISHED: 2020-08-04
Cross-site request forgery (CSRF) vulnerability in [Calendar01] free edition ver1.0.0 and [Calendar02] free edition ver1.0.0 allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2020-5616
PUBLISHED: 2020-08-04
[Calendar01], [Calendar02], [PKOBO-News01], [PKOBO-vote01], [Telop01], [Gallery01], [CalendarForm01], and [Link01] [Calendar01] free edition ver1.0.0, [Calendar02] free edition ver1.0.0, [PKOBO-News01] free edition ver1.0.3 and earlier, [PKOBO-vote01] free edition ver1.0.1 and earlier, [Telop01] fre...
CVE-2020-5617
PUBLISHED: 2020-08-04
Privilege escalation vulnerability in SKYSEA Client View Ver.12.200.12n to 15.210.05f allows an attacker to obtain unauthorized privileges and modify/obtain sensitive information or perform unintended operations via unspecified vectors.