A massive spear-phishing campaign is targeting hundreds of industrial companies primarily in Russia by disguising the emails as legitimate procurement and accounting letters, according to researchers with Kaspersky Lab.
The attacks, which started in October 2017 and are still underway, are aimed at stealing money and data from more than 400 companies in such industries as oil and gas, energy, construction, logistics and metallurgy, the researchers wrote in a post on the company blog.
The cybercriminals behind the attacks, which have been launched at about 800 employee PCs at these companies, took time and effort in targeting the victims, sending out emails that contained content that reflected the activities and profiles of the organizations they were attacking and that took into account the identity of the employee they were sending the email to, including addressing the victims by name.
Example of a bank transfer receipt that is part of the phishing scheme
"Most spear-phishing (crimeware) campaigns are less personalized, as such levels of personalization often used in APT attacks are," Kirill Kruglov, senior research developer for critical infrastructure threat analysis at Kasperky, told Security Now in an email. "It feels like it takes more time/money for threat actors to prepare such an attack … but all the information required for personalization could be collected from public sources such as corporate website(s), social networks, etc., or it could be found on hackers' forums or the dark net. This means it is not much work; a few months is more than enough for threat actors to prepare such attack."
Most of the phishing emails included content that was finance-related and the names of the attachments also were connected to finance, according to the Kaspersky researchers. Many of the emails had attachments; in others, the messages in the emails were meant to entice victims to follow links to external sites and then downloading malicious code from those sites.
Once users clicked on the attachments, modified legitimate software -- such as Seldon 7.1, data analysis software that uses machine-learning techniques -- is discreetly installed on the computer, along with malware components and a legitimate remote administration software, such as TeamViewer or Remote Manipulator System/Remote Utilities (RMS). Through this, the attackers can gain control of the infected systems.
The malware components can come from several malware families, including AZORult, Hallaj PRO Rat and Babylon RAT, and can be used to collect and steal information. The malware includes such capabilities as logging keystrokes, making screenshots, downloading other malicious files, stealing passwords, cryptocurrency wallets and Skype correspondence, conducting distributed denial-of-service (DDoS) attacks and sending users files to a control-and-command server. (See AZORult Downloader Adds Cryptomining, Ransomware Capabilities.)
The attackers also use a number of techniques to mask the infection and the malware's activities, the researchers said.
The goal of the campaign is stealing money from the accounts of the victims' organizations, researchers find. Through the malware, the cybercriminals can do such jobs as examine documents and software related to procurement, financial and accounting operations, analyze the financial and accounting software being used and find banking clients. The attackers also are looking for other ways to commit financial fraud, such as spoofing the bank details that are used to make payments and changing requisites in payment bills to withdraw money.
In addition, if they needed more data or capabilities -- such as obtaining local administrator rights or stealing Microsoft Windows accounts to spread throughout the corporate network -- the bad actors upload other malware, including spyware, more remote administration technologies and tools to exploit operating system vulnerabilities, that is prepared individually for an attack on each victim. They also can download the Mimikatz tool to get data from Windows accounts.
"Apparently, among other methods, the attackers obtain the information they need to perpetrate their criminal activity by analyzing the correspondence of employees at the enterprises attacked," the analysts wrote in the blog. "They may also use the information found in these emails to prepare new attacks -- against companies that partner with the current victim."
They said the attackers are most likely to be a group whose members have a good command of the Russian language, given the text in the phishing emails and the way the bad actors can make changes to organizations' financial data in Russian. In addition, the researchers said the group like targeting industrial companies because the threat awareness and cybersecurity culture in these organizations are not as strong to firms in other sectors, such as financial services and IT.
"Usually employees of industrial companies are less aware of such personalized spear-phishing and other techniques used by criminals," Kruglov said. "The security measures and procedures are also often less mature in industrial companies. But at the same time, threat actors are moving towards the use of legitimate (or semi-legitimate) tools to bypass security measures that makes it much harder to identify the intrusion in a timely manner."
The Kaspersky analyst also said that while it's highly unlikely this particular campaign will spill over to other countries -- it requires attackers to have knowledge of accounting software and procedures, which can differ between countries -- "we could see another campaign (launched by another threat actor) with similar techniques and toolset. The probability of such an event is considerable."
The Kaspersky researchers note that companies need to use security solutions with particular capabilities to detect and blocking phishing attempts and to use security awareness initiatives to educate employees about cybersecurity.