Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV //

Phishing

8/3/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Kaspersky: Spear-Phishing Attacks Target 400 Industrial Companies

The emails in the spear-phishing campaign, which has been going on for months, are disguised as legitimate finance documents that include profiles of the organizations being attacked, according to Kaspersky Labs.

A massive spear-phishing campaign is targeting hundreds of industrial companies primarily in Russia by disguising the emails as legitimate procurement and accounting letters, according to researchers with Kaspersky Lab.

The attacks, which started in October 2017 and are still underway, are aimed at stealing money and data from more than 400 companies in such industries as oil and gas, energy, construction, logistics and metallurgy, the researchers wrote in a post on the company blog.

The cybercriminals behind the attacks, which have been launched at about 800 employee PCs at these companies, took time and effort in targeting the victims, sending out emails that contained content that reflected the activities and profiles of the organizations they were attacking and that took into account the identity of the employee they were sending the email to, including addressing the victims by name.

"Most spear-phishing (crimeware) campaigns are less personalized, as such levels of personalization often used in APT attacks are," Kirill Kruglov, senior research developer for critical infrastructure threat analysis at Kasperky, told Security Now in an email. "It feels like it takes more time/money for threat actors to prepare such an attack … but all the information required for personalization could be collected from public sources such as corporate website(s), social networks, etc., or it could be found on hackers' forums or the dark net. This means it is not much work; a few months is more than enough for threat actors to prepare such attack."

Most of the phishing emails included content that was finance-related and the names of the attachments also were connected to finance, according to the Kaspersky researchers. Many of the emails had attachments; in others, the messages in the emails were meant to entice victims to follow links to external sites and then downloading malicious code from those sites.

Once users clicked on the attachments, modified legitimate software -- such as Seldon 7.1, data analysis software that uses machine-learning techniques -- is discreetly installed on the computer, along with malware components and a legitimate remote administration software, such as TeamViewer or Remote Manipulator System/Remote Utilities (RMS). Through this, the attackers can gain control of the infected systems.

The malware components can come from several malware families, including AZORult, Hallaj PRO Rat and Babylon RAT, and can be used to collect and steal information. The malware includes such capabilities as logging keystrokes, making screenshots, downloading other malicious files, stealing passwords, cryptocurrency wallets and Skype correspondence, conducting distributed denial-of-service (DDoS) attacks and sending users files to a control-and-command server. (See AZORult Downloader Adds Cryptomining, Ransomware Capabilities.)

The attackers also use a number of techniques to mask the infection and the malware's activities, the researchers said.

The goal of the campaign is stealing money from the accounts of the victims' organizations, researchers find. Through the malware, the cybercriminals can do such jobs as examine documents and software related to procurement, financial and accounting operations, analyze the financial and accounting software being used and find banking clients. The attackers also are looking for other ways to commit financial fraud, such as spoofing the bank details that are used to make payments and changing requisites in payment bills to withdraw money.

In addition, if they needed more data or capabilities -- such as obtaining local administrator rights or stealing Microsoft Windows accounts to spread throughout the corporate network -- the bad actors upload other malware, including spyware, more remote administration technologies and tools to exploit operating system vulnerabilities, that is prepared individually for an attack on each victim. They also can download the Mimikatz tool to get data from Windows accounts.

"Apparently, among other methods, the attackers obtain the information they need to perpetrate their criminal activity by analyzing the correspondence of employees at the enterprises attacked," the analysts wrote in the blog. "They may also use the information found in these emails to prepare new attacks -- against companies that partner with the current victim."

They said the attackers are most likely to be a group whose members have a good command of the Russian language, given the text in the phishing emails and the way the bad actors can make changes to organizations' financial data in Russian. In addition, the researchers said the group like targeting industrial companies because the threat awareness and cybersecurity culture in these organizations are not as strong to firms in other sectors, such as financial services and IT.

"Usually employees of industrial companies are less aware of such personalized spear-phishing and other techniques used by criminals," Kruglov said. "The security measures and procedures are also often less mature in industrial companies. But at the same time, threat actors are moving towards the use of legitimate (or semi-legitimate) tools to bypass security measures that makes it much harder to identify the intrusion in a timely manner."

The Kaspersky analyst also said that while it's highly unlikely this particular campaign will spill over to other countries -- it requires attackers to have knowledge of accounting software and procedures, which can differ between countries -- "we could see another campaign (launched by another threat actor) with similar techniques and toolset. The probability of such an event is considerable."

The Kaspersky researchers note that companies need to use security solutions with particular capabilities to detect and blocking phishing attempts and to use security awareness initiatives to educate employees about cybersecurity.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-6017
PUBLISHED: 2020-12-03
Valve's Game Networking Sockets prior to version v1.2.0 improperly handles long unreliable segments in function SNP_ReceiveUnreliableSegment() when configured to support plain-text messages, leading to a Heap-Based Buffer Overflow and resulting in a memory corruption and possibly even a remote code ...
CVE-2020-6021
PUBLISHED: 2020-12-03
Check Point Endpoint Security Client for Windows before version E84.20 allows write access to the directory from which the installation repair takes place. Since the MS Installer allows regular users to run the repair, an attacker can initiate the installation repair and place a specially crafted DL...
CVE-2020-6111
PUBLISHED: 2020-12-03
An exploitable denial-of-service vulnerability exists in the IPv4 functionality of Allen-Bradley MicroLogix 1100 Programmable Logic Controller Systems Series B FRN 16.000, Series B FRN 15.002, Series B FRN 15.000, Series B FRN 14.000, Series B FRN 13.000, Series B FRN 12.000, Series B FRN 11.000 and...
CVE-2020-5680
PUBLISHED: 2020-12-03
Improper input validation vulnerability in EC-CUBE versions from 3.0.5 to 3.0.18 allows a remote attacker to cause a denial-of-service (DoS) condition via unspecified vector.
CVE-2020-5638
PUBLISHED: 2020-12-03
Cross-site scripting vulnerability in desknet's NEO (desknet's NEO Small License V5.5 R1.5 and earlier, and desknet's NEO Enterprise License V5.5 R1.5 and earlier) allows remote attackers to inject arbitrary script via unspecified vectors.