Steganography in targeted attacks on industrial enterprises in Japan and Europe

Threat actors targeted industrial suppliers in Japan and several European countries in sophisticated attacks, Kaspersky reported.

Researchers from Kaspersky’s ICS CERT unit reported that threat actors targeted industrial suppliers in Japan and several European countries in sophisticated attacks.

The experts first observed the attacks in early 2020, while in early May, threat actors targeted organizations in Japan, Italy, Germany and the UK.

Hackers targeted suppliers of equipment and software for industrial enterprises with spear-phishing messages using malicious Microsoft Office documents. Attackers used PowerShell scripts, as well as various techniques to evade the detection and avoid the analysis of the malware.

“Phishing emails, used as the initial attack vector, were tailored and customized under the specific language for each specific victim. The malware used in this attack performed destructive activity only if the operating system had a localization that matched the language used in the phishing email.” reads the report published by Kaspersky. “For example, in the case of an attack on a company from Japan, the text of a phishing email and a Microsoft Office document containing a malicious macro were written in Japanese. “

The phishing messages are crafted to trick victims into opening the attached document and enable the macros. The emails are written in the target’s language, and the malware only starts if the operating system language on the machine matches the language in the phishing email.

Hackers used the Mimikatz tool to steal the authentication data of Windows accounts stored on a compromised system. At the time, the final goal of the threat actors is still unknown.

Kaspersky experts only observed malicious activity on IT systems, OT networks were not impacted in the attacks.

Upon executing the macro script contained in the bait document, a PowerShell script is decrypted and executed. This script downloads an image from image hosting services such as Imgur or imgbox, experts noticed that the URL of the image is randomly selected from a list.

The image contains data that is extracted by the malware to create another PowerShell script, which in turn creates another PowerShell script that is an obfuscated version of Mimikatz post-exploitation tool.

“The data is hidden in the image using steganographic techniques and is extracted by the malware from pixels defined by the algorithm. Using steganography enables the attackers to evade some security tools, including network traffic scanners.” continues the analysis.

“The data extracted from the image is consecutively encoded using the Base64 algorithm, encrypted with the RSA algorithm and encoded using Base64 again. Curiously, the script has an error in its code, included on purpose, with the exception message used as the decryption key.”

Attackers also used an exception message as the decryption key for a malicious payload, also in this case the technique aims at evade the detection.

Kaspersky confirmed that its solutions have blocked all the attacks it has detected.

“This attack has caught the attention of researchers because the attackers use several unconventional technical solutions.” concludes Kaspersky.

“The use of the above techniques, combined with the pinpoint nature of the infections, indicates that these were targeted attacks. It is a matter of concern that attack victims include contractors of industrial enterprises. If the attackers are able to harvest the credentials of a contractor organization’s employees, this can lead to a range of negative consequences, from the theft of sensitive data to attacks on industrial enterprises via remote administration tools used by the contractor.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – industrial supplier attack, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]