Shadowy figures stalking US NGOs
Shadowy figures stalking US NGOs

Barely hours after Donald Trump became president-elect of the US, an advanced persistent threat (APT) group launched a series of coordinated and well-planned spear-phishing campaigns.

According to a blog post by Steven Adair, a security researcher at Volexity, around five different attacks on US-based think tanks and non-governmental organizations (NGOs) were observed.

He said that email came from a mix of attacker created Google Gmail accounts and what appears to be compromised e-mail accounts at Harvard's Faculty of Arts and Sciences (FAS). 

The emails were sent 8-9 November and in large quantities to different individuals across many organisations and individuals focusing in national security, defence, international affairs, public policy and European and Asian studies. 

“Two of the attacks purported to be messages forwarded on from the Clinton Foundation giving insight and perhaps a post-mortem analysis into the elections. Two of the other attacks purported to be eFax links or documents pertaining to the election's outcome being revised or rigged,” said Adair.

A final attack claimed to be a link to a PDF download on “Why American Elections Are Flawed.” Volexity pinpointed the actions to a group it has referred to as The Dukes (also known as APT 29 or Cozy Bear) as being responsible for post-election attack activity. The group is thought to be closely linked with the Russian government.

The Dukes have been responsible for other attacks in the past, including attacks on the Democratic National Committee and US government organisations.

The attacks all use malware Volexity dubbed PowerDuke. Infected attachments look like legitimate documents but contain macros designed to install a downloader on the system.

Successful exploitation would result in the download of a PNG image file from a compromised webserver. These attack campaigns leveraged steganography in the PNG files by hiding components of a backdoor that would exist only in memory after being loaded into rundll32.exe. 

The latest attacks used either malicious links to .ZIP files or fake Windows shortcut files linked to a ‘clean' Rich Text Format document and a PowerShell script that installed malware. Three emails appeared to come from a senior research fellow at Harvard's Center for International Development, with two of these spoofed to look like they were forwarded on from Clinton Foundation using the same Harvard account.

The malware used advanced anti-malware detection and virtual machine detection scripts to evade analysis.

"The group's anti-VM macros and PowerShell scripts appear to have drastically reduced the number of sandboxes and bots that the group has to deal with on their command and control infrastructure," said Adair.

"This combined with their use of stenography to hide their backdoor within PNG files that are downloaded remotely and loaded in memory only or via alternate data streams (ADS) is quite novel in its approach. Volexity believes that the Dukes are likely working to gain long-term access into think tanks and NGOs and will continue to launch new attacks for the foreseeable future."

Fraser Kyne, EMEA CTO at Bromium, told SCMagazineUK.com that rather than expecting end-users to behave like machines, “we should be adapting technology to account for the fact that people will always be people – ie, let the people click!”

“Isolating workloads using micro-virtualisation is the only way we can solve this problem. In effect, every document or webpage should run in a totally isolated environment, so even if users download an infected document, it's totally harmless; it just bangs around in a little contained environment and then disappears the moment the user closes down their session. There is no way for it to infect the wider IT ecosystem,” he said.

Richard Meeus, VP technology EMEA at NSFOCUS, told SC that attackers have always used major news events as a cover for click bait.

“A false story recently about the death of Brad Pitt after his divorce caused a flurry of malware propagation as people all rushed to find out more. The bigger the story, the less care and attention people will pay to the source of the email, or the Facebook link, and this is what the attackers are relying upon. Leveraging the biggest election news in years would be an ideal opportunity,” he said.