International equipment and software suppliers for the industrial sector last May suffered targeted malware attacks that employed numerous unconventional techniques to evade detection, reports Kaspersky ICS CERT experts in a recent blog post.
Utilizing steganography to conceal malicious data within another file, while abusing legitimate web resources to host the malware, the attackers made it highly difficult to detect infection attempts — although Kaspersky said that in all cases that were identifiable, the malware was blocked by its solutions, preventing additional attacks.
The targeted suppliers, whom if compromised could have been abused as a stepping stone to later attack their industrial enterprise clients, are based in Japan, Italy, Germany and the U.K. The contractors were sent phishing emails that were customized to their local languages and contained malicious Microsoft Office documents with malicious, obfuscated macros. If the localization of the intended victim’s operating system didn’t match the language used in the phishing email, the malware would not fully execute.
The macros decrypt and execute a PowerShell script, which in turn selects a URL that resolves to the legitimate public image hosting services imgur.com or imgbox.com and then downloads an image that secretly hides encrypted data via the technique of steganography.
“This makes it virtually impossible to detect such malware using network traffic monitoring and control tools while it is being downloaded,” writes Vyacheslav Kopeytsev, Kaspersky senior security researcher.
The decryption key for said data is cleverly hidden in an exception message that’s associated with an error that was intentionally entered into the script itself — a technique the attackers apparently used for both anti-detection and anti-analysis.
The extracted comprises yet another PowerShell script, which in turn yields a third PowerShell script in the form of an obfuscated sample of Trojan-PSW.PowerShell.Mimikatz malware. “Closer analysis has shown that attackers used the Mimikatz utility to steal the authentication data of Windows accounts stored on a compromised system,” the Kaspersky blog post states.
The ultimate objective of the attackers in this case remains unknown, Kaspersky reports.
Despite the differences in the various targets’ languages, Kaspersky analysts found a similarity in the campaigns that typically began with an urgent phishing email that recipients were asked to open. Individuals that opened the email then received a message to enable the attached document’s active content. If the recipient took the bait, the malicious macro would get executed and the infection chain would commence.