Nothing about the newly discovered ‘Inception' attack framework is clear. The malware comes from a spear phishing email, but the email senders remain masked, clouded by intentionally placed clues to throw off anyone keen to their existence.
They could be in India, as evidenced by the use of Hindi in some of their Android malware. They could be in the Middle East, as evidenced by the use of Arabic in text strings in their BlackBerry malware. They could even be in the U.K. because the string “God_Save_The_Queen” was found in their Blackberry malware.
Wherever they are, one thing is certain: this framework and its perpetrators are taking extreme measures to stay hidden. Their targets aren't exactly low-key, either. Most of the group's endeavors have been aimed at the finance sector in Russia; the oil and energy industry in Romania, Venezuela and Mozambique; and embassies and diplomats from various countries. Blue Coat researchers have detailed their findings on Inception in a recent white paper, and have made clear that this attack has left plenty to investigate.
“They've (the attackers) thrown things in there to throw off anyone that might be onto them,” said Waylon Grange, senior malware researcher, Blue Coat Systems, Inc. in a Tuesday interview with SCMagazine.com. “They have a different malware component attributed to China because they want researchers to believe this is China. Sometimes they have Hindi code or words, but we think it's meant to throw us off. Because they keep putting these red herrings in, it's hard for me to trust any of the hints they've left behind.”
The perpetrators behind ‘Inception' capitalize on two vulnerabilities in Rich Text Format (RTF): CVE-2014-1761 and CVE-2012-0158. Primarily through phishing emails containing a malicious payload that is disguised as a legitimate news story, for instance, the attackers infect their targets and then unknowingly send the victim's files back to the command-and-control servers (C&C), which in this instance, are multiple cloud accounts with CloudMe.com. Once the malware has established its connection with a cloud account, it also checks configured subfolders for updates, and if some exist, they will be downloaded, decrypted and used, according to the white paper.
This methodology adds to the mystery surrounding the perpetrators.
“(Using the cloud) requires deeper inspection,” said Grange. “It doesn't point directly at them. It points to Google Drive (for instance), and there's no way of saying who's at the other end of that. It's another way to protect their identity as well.”
Each night, Grange said, the attackers communicate with the infected devices and task them to do something new. Encrypted data goes back and forth, but what is being said remains unclear.