Industrial Sector targeted in surgical spear-phishing attacks
3.8.18 securityaffairs Phishing
Industrial sector hit by a surgical spear-phishing campaign aimed at installing legitimate remote administration software on victims’ machines.
Attackers carried out a spear-phishing campaign against entities in the industrial sector, the messages disguised as commercial offers where used by attackers to deliver a legitimate remote administration software on victims’ systems (TeamViewer or Remote Manipulator System/Remote Utilities (RMS)).
Attackers personalized the content of each phishing email reflecting the activity of the target organization and the type of work performed by the employee to whom the email is sent.
The campaign was discovered by experts from Kaspersky Lab who speculate the attackers are financially motivated.
“Kaspersky Lab ICS CERT has identified a new wave of phishing emails with malicious attachments targeting primarily companies and organizations that are, in one way or another, associated with industrial production.” reads the blog post published by Kaspersky.
“According to the data available, the attackers’ main goal is to steal money from victim organizations’ accounts,”
Once the attackers have gained access to the victim’s system they will search for any purchase documents, as well as the financial and accounting software. Then the crooks look for various ways in which they can monetize their effort, for example, by spoofing the bank details used to make payments.
According to Kaspersky, there was a spike in the number of spear phishing messages in November 2017 that targeted up to 400 industrial companies located in Russia.
The spear-phishing campaign is still ongoing, the messages purported to be invitations to tender from large industrial companies.
The quality of the phishing messages suggests the attackers have spent a significant effort in the reconnaissance phase.
“It is worth noting that the attackers addressed an employee of the company under attack by his or her full name,” state the researchers. “This indicates that the attack was carefully prepared and an individual email that included details relevant to the specific organization was created for each victim.”
The attackers used both malicious attachments and links to external resources that are used to download the malicious code.
“Malicious files can be run either by an executable file attached to an email or by a specially crafted script for the Windows command interpreter.” states the researchers.
“For example, the archive mentioned above contains an executable file, which has the same name and is a password-protected self-extracting archive. The archive extracts the files and runs a script that installs and launches the actual malware in the system.”
Regarding the legitimate software used by the attackers, TeamViewer or Remote Manipulator System/Remote Utilities (RMS), for both, the attackers performed a DLL injection attack by injecting the malicious code directly into the process by substituting a malicious library for system DLL.
The malicious library includes the system file winspool.drv that is located in the system folder and is used to send documents to the printer.
The winspool.drv decrypts the attackers’ configuration files, including software settings and the password for remotely controlling the target machine.
In the case of RMS, one of the configuration files includes the email address used by the attacker to receive the information (i.e. computer name, username and the RMS machine’s internet ID) about the infected system.
When the attackers use TeamViewer software to exfiltrate system information, a file in a malicious library contains various parameters, including the password used for remotely controlling the system and a URL of the attackers’ command-and-control server.
Unlike RMS, Team Viewer also uses a built-in VPN to remotely control a computer located behind NAT.
“After launching, the malicious library checks whether an internet connection is available by executing the command “ping 220.127.116.11” and then decrypts the malicious program’s configuration file tvr.cfg. The file contains various parameters, such as the password used for remotely controlling the system, URL of the attackers’ command-and-control server, parameters of the service under whose name TeamViewer will be installed, the User-Agent field of the HTTP header used in requests sent to the command-and-control server, VPN parameters for TeamViewer, etc.” continues the analysis.
“Unlike RMS, Team Viewer uses a built-in VPN to remotely control a computer located behind NAT.”
Kaspersky highlighted that the industrial sector is becoming a privileged target for crooks, they are able to make profits even using simple techniques and known malware.
The use of legitimate Remote administration software allows crooks to gain full control of compromised systems avoiding detection.
“This choice on the part of the cybercriminals could be explained by the fact that the threat-awareness and cybersecurity culture in industrial companies is inferior to that in companies from other sectors of the economy (such as banks or IT companies),” Kaspersky concludes.