Kaspersky researchers have a discovered a new spear phishing campaign targeting organizations in the industrial sector.
The attackers distribute malicious software through emails disguised as legitimate commercial offers aiming to steal money from victim organization accounts.
“The phishing emails are disguised as legitimate commercial offers and are sent mainly to industrial companies located in Russia. The content of each email reflects the activity of the organization under attack and the type of work performed by the employee to whom the email is sent.”
The series of attacks started in November 2017, and the campaign is still ongoing.
The malware used in this attacks installs legitimate remote administration applications such as TeamViewer or Remote Manipulator System/Remote Utilities (RMS) to gain remote control of the infected system.
After gaining access to the victim’s system, the attackers search for purchase documents, as well as the financial and accounting software used. Then the attackers look for various ways to steal money such as replacing the banking details used to make payments.
In case if attackers need higher level permission or need additional data, an additional pack of malware will be downloaded into the system. The malware is capable of logging keystrokes, taking screenshots, steal system information and information on installed programs in the system, etc.
When it comes to phishing emails in most case the emails have finance-related content and names of the attachment also will be finance related.
The attackers send two types of email one with malicious attachments and other with a link to external resources to download the malicious code.
“It is worth noting that the attackers addressed an employee of the company under attack by his or her full name (this part of the email was masked in the screenshot above for confidentiality reasons). This indicates that the attack was carefully prepared and an individual email that included details relevant to the specific organization was created for each victim”.
The malware can be installed in the system either by an executable file attached to an email or by a specially crafted script for the Windows, command interpreter.
“For example, the archive mentioned above contains an executable file, which has the same name and is a password-protected self-extracting archive. The archive extracts the files and runs a script that installs and launches the actual malware in the system.”
In the case of legitimate software used by the attackers such as TeamViewer or Remote Manipulator System/Remote Utilities (RMS) to gain access to the system. The attackers conduct DLL hijacking attack technique, they place a malicious library file instead of system DLL and malicious library completes the malware installation.
The malicious dynamic library includes the system file winspool.drv which is located in the system folder and is used to send the document to the printer.
The winspool.drv helps to decrypt configuration files prepared by the attackers which contain software settings, the password for remotely controlling the machine and setting to notify the user the system has been infected successfully.
In the RMS configuration file, it contains an email address to which the information retrieved from the infected system is sent which includes computer name, username, the RMS machine’s Internet ID, etc..
In the case of Teamviewer the information retrieved is sent to attackers command and control server instead of email address and it also has built-in VPN to remotely control a computer located behind a NAT.
According to the available data more than 800 computer belonging to 400 organizations have been already infected.
“This research demonstrates once again that even when they use simple techniques and known malware, threat actors can successfully attack many industrial companies by expertly using social engineering and masking malicious code in target systems. Criminals actively use social engineering to keep users from suspecting that their computers are infected. They also use legitimate remote administration software to evade detection by antivirus solutions.” said in the research published Kaspersky.