Incident Response, TDR, Threat Management

Clandestine Fox attack op uses social engineering to woo new victims

An advanced persisted threat (APT) group, which previously spread malware by exploiting an Internet Explorer zero-day, has now modified its attack method.

Back in late April, security firm FireEye revealed details on the group's ongoing campaign dubbed “Operation Clandestine Fox.” Since the IE zero-day bug was patched by Microsoft in May, however, attackers have moved on to an alternative method for installing backdoors on victims' systems: luring them via social networking.

On Tuesday, Mike Scott, a senior threat analyst at FireEye, blogged about the threat actors' new schemes – using phishing emails to target employees at an energy company and another unnamed firm.

In the instance targeting the energy company, the attacker posed as a job applicant seeking employment at the firm. The targeted employee was first contacted on a popular social networking site, and weeks later the attacker eventually emailed a “resume” to the employee's personal email account.

“[The attacker] had asked a variety of probing questions, including inquiring who the IT Manager was and what versions of software [the company] ran – all information that would be very useful for an attacker looking to craft an attack,” Scott explained.

The saboteur emailed three compressed files in a RAR archive attachment: one file was malicious, while the other two were “benign,” or decoy, files. The weaponized file was ultimately designed to drop a backdoor called “Cookie Cutter” on the target's system, FireEye found.

In addition, another RAR archive attachment targeting the second firm was used to deliver a backdoor called “Kaba,” the firm revealed.

FireEye warned users to be particularly on guard when using social networking sites or personal email, as APT groups “take advantage of every possible vector to try to gain a foothold in the organizations they target,” Scott said.

“Social networks are increasingly used for both personal and business reasons, and are one more potential threat vector that both end-users and network defenders need to think about,” he added.

Last month, researchers at iSight Partners uncovered a three-year espionage campaign targeting U.S. military and other high-level officials via an intricate social engineering scheme.

In the operation, dubbed “Newscaster,” attackers took on fake social media personas, and even erected a phony news site to gain the trust of their targets. Hackers, believed to be based in Iran, used numerous networking sites, including Facebook, LinkedIn, Twitter and Google+, to connect with victims, iSight Partners found.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.