Researchers at Kaspersky have identified numerous variants of spyware that are being deployed on systems within industrial enterprises to steal credentials. Threat actors are using off-the-shelf spyware tools deployed for very short time periods. The average length of deployment per variant of spyware is 25 days. Utilizing different variants for such a short amount of time helps the threat actors remain undetected by defense services. Examples of the commodity malware being used in attacks include AgentTesla/Origin Logger, HawkEye, Noon/Formbook, Masslogger, Snake Keylogger, Azorult, and Lokibot. The threat actors are also utilizing the SMTP-based communication protocol for exfiltrating data to the command-and-control (C2) server that is run by the threat actor. This is unique, because unlike HTTPS, which is the most standard way for spyware campaigns to conduct C2 communication, SMTP is a one-way channel that caters to data theft and thrives on simplicity and its ability to blend with regular network traffic.
Spyware attacks are usually in place for months, but in this case, the threat actors have decided that switching the spyware every 25 days or so limits their chance of being detected. After a successful attack where credentials are stolen, they typically move to sell the credentials on Darknet marketplaces with prices ranging, depending on the access type and the company that was infected. Services such as Binary Defense’s Managed Detection and Response can help monitor endpoints and look for any unusual activity that could lead to the deployment of malware. At this time, these attacks have been focused on industrial enterprises, but it is possible that the threat actors will target other industries with these types of attacks.