Experts warn of anomalous spyware campaigns targeting industrial firms

Pierluigi Paganini January 21, 2022

Researchers spotted several spyware campaigns targeting industrial enterprises to steal credentials and conduct financial fraud.

Researchers from Kaspersky Lab have uncovered multiple spyware campaigns that target industrial firms to steal email account credentials and carry out fraudulent activities.

Threat actors sent spear-phishing messages from compromised corporate accounts to their contacts, the email carry malicious attachments. The attackers use off-the-shelf spyware, but in order to avoid detection they limited the scope and lifetime of each sample to the bare minimum

These attacks were aimed at a very limited number of targets, they employed several spyware families, such as AgentTesla/Origin Logger, HawkEye, Noon/Formbook, Masslogger, Snake Keylogger, Azorult, Lokibot.

Kaspersky labeled these campaigns as ‘anomalous’ due to their very short-lived nature, roughly 25 days.

“The lifespan of the “anomalous” attacks is limited to about 25 days. And at the same time, the number of attacked computers is less than 100, of which 40-45% are ICS machines, while the rest are part of the same organizations’ IT infrastructure.” reads the analysis published by Kaspersky. “This has become a trend: around 21.2% of all spyware samples blocked on ICS computers worldwide in H1 2021 were part of this new limited-scope short-lifetime attack series and, depending on the region, up to one-sixth of all computers attacked with spyware were hit using this tactic.”

Attackers used to target less than one hundred systems for each campaign, more than half are ICS (integrated computer systems) systems deployed in industrial environments.

Unlike common spyware attacks, most of the samples employed in these campaigns were configured to use SMTP-based (rather than FTP or HTTP(s)) C2s as a one-way communication channel, a circumstance that suggests it was used only to exfiltrate data from infected systems.

Kaspersky researchers speculate the stolen data is used by threat actors to go deeper in the compromise network and to target other organizations in order to collect more credentials.

The attackers use corporate mailboxes compromised in previous attacks as the C2 servers for further attacks.

“Amongst attacks of this kind, we’ve noticed a large set of campaigns that spread from one industrial enterprise to another via hard-to-detect phishing emails disguised as the victim organizations’ correspondence and abusing their corporate email systems to attack through the contact lists of compromised mailboxes.” continues the report.

“Curiously, corporate antispam technologies help the attackers stay unnoticed while exfiltrating stolen credentials from infected machines by making them ‘invisible’ among all the garbage emails in spam folders.”

spyware campaigns 2

The experts have identified over 2,000 corporate email accounts belonging to industrial companies that were used as C2 servers for successive spyware campaigns. The number of stolen and sold corporate email accounts that were abused has been estimated to be greater than 7000.

Many of the email RDP, SMTP, SSH, cPanel, and VPN account credentials siphoned by the attackers were made available on dark web marketplaces and sold to other threat actors.

“In this research, we identified over 25 different marketplaces where data stolen in the credential gathering campaigns targeting industrial companies that we investigated was being sold. At these markets, various sellers offer thousands of RDP, SMTP, SSH, cPanel, and email accounts, as well as malware, fraud schemes, and samples of emails and webpages for social engineering.” concludes the report. “A statistical analysis of metadata for over 50,000 compromised RDP accounts sold in marketplaces shows that 1,954 accounts (3.9%) belong to industrial companies.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, spyware campaigns)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment