A Russian-speaking entity that poses a threat has been attacking hundreds of industrial companies for more than two years, according to Kaspersky security researchers.

The current attacks, which target companies in Russia, are highly targeted and use phishing emails to spread malware. In some cases, legal documents stolen in previous attacks are used for social engineering.

Another feature of these attacks is the use of remote administration tools, including Remote Administration/Utilities (RMS) and TeamViewer. A malicious program is used to hide the user interface of these programs in order not to attract attention.

The campaign was first detailed in 2018, when Kaspersky reported that more than 400 organisations had joined. Today, security researchers have discovered that attackers have updated their methods and that the number of victim organisations has increased.

In particular, the enemy switched to the web interface of the RMS cloud infrastructure as an alert channel to receive the TeamViewer ID of the infected machine instead of the malware command and control servers. During the current attack, spyware and Mimicaz were used to steal identity cards.

On the pretext that they are business partners of the target organization, hackers ask their alleged victims to read the attached documents. Letters are created individually for each victim and attachments are password-protected to prevent antivirus programs from scanning them.

The attachment contains obscured JavaScript scripts and legitimate PDF files. In recent attacks, hackers have started using factual documents related to the organization’s activities, including scanned copies of purchase receipts, letters and forms that appeared to have been stolen in previous attacks.

JavaScript launches a malware program that installs the version of TeamViewer and other malware when more information needs to be collected on the target computer. In previous attacks, hackers have used malicious DLLs to hide TeamViewer’s user interface and prevent the attack.

According to Kaspersky, the loads extracted by malicious scripts are stored on sources that mimic the websites of Russian-speaking companies.

The victims of these attacks were Russian companies in the sectors of production, oil and gas, metallurgy, engineering, energy, construction, mining and logistics. The attackers seem to have a special interest in the energy sector.

The campaign aims to steal money from the target organizations, and Kaspersky thinks the Russian-speaking group is behind it. The opponent takes full control of the target systems and then starts looking for financial and accounting programs and related documents used to commit financial fraud.

It is clear that remote access by cybercriminals to infected systems also poses other threats, such as leaks of confidential organizational data, system failures, etc., which can lead to a significant increase in the number of cybercriminals accessing infected systems. As recent events have shown, attackers use documents probably stolen from organizations to carry out subsequent attacks, including against the partners of the company’s victims, concluded Mr. Kaspersky.

That’s what it looks like: The phishing campaign focuses on 400 industrial companies

That’s what it looks like: Most security professionals prefer corporate cyber security to industrial cyber security: Interview

That’s what it looks like: Industrial suppliers in Japan, Europe Advanced attack target

Exhibition counter



Ionat Argir is the international correspondent for Security Week.

Previous chronicles of Ionat Argir:

http://server.digimetriq.com/wp-content/uploads/2020/10/1603891152_892_Compromised-CMS-Credentials-Likely-Used-to-Hack-Trump-Campaign-Website.jpg Keywords: