Cisco’s Talos team research revealed that an Eastern European hacking group illegally seized U.S. state government servers to inject a malware via phishing Emails, which is one of the most popular routes cybercriminals use nowadays.
The phishing emails were created in such a way that it appears to be originating from the Securities and Exchange Commission. Few other cybersecurity experts have also analyzed the matter.
The case was interesting to industry experts as hackers used one of the more complicated techniques where analysts think it is non-governmental and cybercrime focused.
“This threat is important because it has been designed to be extremely evasive and hard to research,” Craig Williams, a senior researcher with Talos said. “More and more actors are moving towards nontraditional persistence mechanisms, which make the malware even more effective.”
FireEye, leading U.S. cybersecurity firm came out with the technical findings which connect with a known advanced persistent threat (APT) group, codenamed to be FIN7.
The phishing emails carried malware-laden Microsoft Word documents with financial disclosure information from the EDGAR system.FIN7 operates internationally and is believed to represent an Eastern European criminal entity and believed to be from a Russian Origin.
This phishing Email campaign is very focused and targets specific victims. The emails are sent to small-scale U.S. business groups in various industry sectors like finance, insurance, etc.
According to Craig Williams, the Emails tied to this campaign were highly targeted and were only sent only to selected group of U.S. businesses in several different industry sectors, including finance, insurance, and information technology,”
Why is this Attack believed to be Complicated?
The hackers were highly successful in confusing their attacks and intrusion by using a multi-stage infection chain which exploited a Dynamic Data Exchange (DDE) process in Microsoft Word to achieve remote code execution.
Moreover, the criminals used DNS – Domain Name System commands to maintain a secret connection to a compromised state government server. The attacked government server was configured to download DNS Messenger malware onto breached systems automatically.
“The use of DNS as a conveyance for later stage code and C2 communications is also becoming more and more commonplace,” a blog post by Talos notes.
“This attack shows the extent of sophistication that is associated with threats facing organizations today. It is also vital for organizations to be aware of some of the greater interesting techniques that malware is using to execute malicious code on systems and obtain persistence on systems once they are infected.” the blog added.
According to Kevin Beaumont, an independent cybersecurity researcher; The affected server was recently taken offline. He was tracking FIN7 activity.
“The malware documents called for a file from a server in Louisiana, which is currently offline after they were notified,” “The server was hosting source code used to deliver further elements of the attack chain,” Beaumont revealed to CyberScoop.
The discovery is important because this style of cyberattack would be highly effective even against companies or government agencies with significant cybersecurity protections already in place. That is because Microsoft is aware of issues within the DDE protocol, which is typically used for one-time data transfers or the continuous exchanges of updates, but has so far declined to offer a fix, Kevin Beaumont explained.
He added; “It is an interesting case as the method used in Word documents works in higher security environments — for example, those which have taken steps to lock down macros. Another element is that Microsoft knows about the issue and has chosen not to issue a security patch — which leaves companies with a security issue they cannot patch around. All it takes is for an employee to press ‘Yes’ to two prompts, and you have a big issue.”
Why do you think DNSMessenger malware is quite special?
It is so because it is preprogrammed to detect the administrator of a breached network. This can help attackers to gain information on whom to target.
At present, the case is under FBI Investigation. Hopefully, further information about the hackers will be revealed soon.