Threat Intelligence, Malware

“Siesta” espionage campaign uncovered by researchers

Yet another espionage campaign targeting a number of organizations in different industries has been unearthed by researchers.

Dubbed “Siesta,” the operation attempts to infiltrate the entities via spear phishing emails sent to executives, according to a blog post by Maharlito Aquino, senior research engineer of APT operations at Trend Micro.

Organizations in the energy, finance, telecommunications, defense, and transportation industries have been targeted by attackers using “multi-component malware.”

“These emails were sent from spoofed email addresses of personnel within the organization,” Aquino wrote. “Instead of using attachments and document exploits, this specific campaign served their malware through a legitimate-looking file download link.”

In order to entice the recipient to download the file, the URL includes the organization's name, thus seeming legitimate. An executable titled (TROJ_SLOTH) is contained in the archive, disguised as a PDF document.

Although the recipient can access the legitimate PDF, which was most likely taken from the organization's website, a backdoor is simultaneously being executed.

Once launched, the malware, named BKDR_SLOTH.A, waits for two primary instructions from its command-and-control servers, according to the post.

One instructs the malware to “sleep,” making it dormant for a period of time and cutting off connection to the C&C servers, a command that earned the campaign its “Siesta” name – which means “short nap” in Spanish. The other command enables the malware to “download and execute a file from a specified URL.”

The purpose of the campaign may be to glean valuable data from these organizations, Jon Clay, senior manager for global threat communications at Trend Micro, told SCMagazine.com in Friday interview. In the initial investigation, he said it's clear the attacker did their homework on the organization in order to infiltrate it.

“When you look at the spear phishing email that they sent out it was addressed to an executive,” he said. “So they knew the executive, their name, and it came from a spoofed internal employee's email.”

The sleep command is one of the unique characteristics of the malware, Clay said. While many times malware continuously communicates with C&C servers, making it easier to be identified by security controls in place, BKDR_SLOTH.A waits to be activated at any time by the attacker.

“They could just be setting up for later,” Clay said, alluding to attackers possibly wanting to see what valuable data the organizations have in the future. “It could be months before it's activated.”

Since the attacker has so many domains and IP addresses registered at their disposal – close to 17,000 according to the blog post – the Siesta campaign utilizes a short-lived C&C infrastructure, which makes it more difficult to attribute and locate where the attack is hailing from, Clay said.

Although researchers stumbled upon the campaign through an investigation into one organization, like many others, they found it blossomed into other industry types and organizations. They soon discovered a variant of the malware with similar capabilities, BKDR_SLOTH.B.

Due to the ongoing investigation, the region impacted by the campaign or number of affected organizations cannot be shared.

In addition to having a layered security approach to thwart these types of attacks, which should include a sandbox where email attachments are scanned for malicious behavior, Clay believes education is key.

“An education piece is definitely required to have people thinking in the back of their minds about these kinds of emails,” he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.