Digital Bond specializes in assessing the security of industrial-control systems. Last week, it revealed that an employee had received an email from an account meant to impersonate CEO Dale Peterson. The message linked to a .zip file based on an old research paper the company had published.
When the .zip file was analyzed by the Shadowserver Foundation, researchers concluded the attack patterns were very similar to the actors behind the Shady Rat campaign revealed by McAfee in 2011. McAfee researchers traced the Shady Rat attack back to 2006 and said that it affected scores of organizations, ranging from defense contractors to the United Nations.
According to Shadowserver's Ned Moran, the similarities between Shady Rat and the attack on Digital Bond include the use of encoded commands hidden in otherwise normal looking Web pages, as well as an overlap in the command-and-control (C&C) infrastructure used in this attack with previous Shady RAT attacks.
The malware at the center of the attack was hosted on research.digitalvortex.com. Once on a system, it was designed to create a backdoor and connect to a C&C server at hint.happyforever.com.
"It's a bit concerning that a company whose sole focus is securing industrial control systems should be spear phished," blogged Digital Bond's Reid Wightman. "The attacker clearly went to enough trouble to try to understand ICS security lingo to get the employee to open the link, and had to compromise a DNS server ... Thankfully the attack was unsuccessful -- paranoia pays off. It is definitely a lesson in ‘be careful what you open’ ... even if looks to be coming from Digital Bond (or your boss, as in this case), don’t open a file if you aren’t expecting it."
Further analysis by researchers at AlienVault and IOActive revealed more details.
"Using the information extracted from the binaries and the servers involved on the attack, we were able to identified more files and campaigns launched by this group during the last months," explained Jaime Biasco, labs manager at AlienVault, in a blog post.
Among the targets in those attacks were the Japan Network Information Center and the Hong Kong University of Science and Technology.
"We have identified that the group behind these attacks is using hacked web servers to host the malicious configuration files," Biasco added. "Based on the networks hosting the C&C IPs (mainly universities), it is very likely that these servers are also hacked and some kind of proxy is installed on them to redirect the traffic to the real C&C server. This can be easily achieve(d) using HTran or other similar software commonly used by Chinese hacker groups in this kind of campaigns."
Spear phishing is becoming a favorite vector for launching targeted attacks, which means users need to get trained faster, said Rohyt Belani, CEO of PhishMe, a service that enables companies to train and test employees' phishing knowledge using simulated attacks.
"We have found that immersing people in the [education] experience through mock phishing exercises, and presenting immediate, bite-sized education to those who are susceptible has had the desired effect of reducing human vulnerability to these attacks." The PhishMe service can emulate zip-wrapped PDF files that are similar to those used in the attacks on defense contractors, he said.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.