Cisco warns on combined spear phishing and exploit attacks

Cisco’s Threat Research Analysis and Communications (TRAC) uncovered an extremely targeted spear phish attack on high-profit companies in Europe.

A new APT has been discovered by CISCO targeting high-profit companies in Europe, including businesses working in banking, oil and entertainment industries. The attackers adopted as attack vector the email in a spear phishing campaign. According to the alert provided by Cisco, phishing emails were crafted for specific targeted companies, the attackers used a malicious Microsoft Word attachment to drop the malicious payload. When victims will open the file the malware is downloaded and executed on the machine. The attackers lure victims with malicious emails crafted to look like business invoices.

The particularity of this attack is that the malware contacts several domains during this infection process, including Dropbox folders where attackers host malware samples.The attackers also used many other domains to host backdoor’s, such as londonpaerl.co.uk, used to for typosquatting on the legitimate site londonpearl.co.uk. Cisco blocked the malware from its clients, the security experts at the company believe that the attacks from the bad actor started in May with a surge observed last month.

We have already seen attacks in which bad actors use the popular cloud storage, a few days ago Trend Micro analyzed a targeted attack against a Taiwanese government entity which used a variant of the PlugX RAT that abuses the Dropbox service too.

“The threat actor used the cloud-based file-sharing service offered by Dropbox to host four separate pieces of the payload for the exploit. We reported these links to the Dropbox security team who confirmed that they disabled the file share links. We believe the londonpaerl.co.uk and selombiznet.in domains act as command and control servers.” reported Cisco in a blog post.

Hackers have leveraged a consolidated technique using Visual Basic for Applications, to conduct the attack.

“In this specific example the attackers targeted a feature within Microsoft Word — Visual Basic Scripting for Applications. While basic, the Office Macro attack vector is obviously still working quite effectively. When the victim opens the Word document, an On-Open macro fires, which results in downloading an executable and launching it on the victim’s machine. This threat actor has particularly lavish tastes. This threat actor seem to target high-profile, money-rich industries such as banking, oil, television, and jewelry.” states the post.

Cisco announced that next week it will provide more information on the group responsible for the attacks, on the exploits used in the offensive, including data on the malware used by attackers and obfuscation techniques implemented.

Pierluigi Paganini

(Security Affairs – Cisco, cybercrime)0