As frequently targeted, high-value companies continue fortifying their defenses, FireEye researchers claim that attackers are increasingly setting their sights on the affiliated but not-as-well-protected third-party organizations that do business with them.
By aiming phishing email campaigns at softer targets, attackers believe they can compromise the networks of more relevant organizations in a roundabout way without having to defeat their sophisticated security systems.
The FireEye Malware and Intelligence Lab illustrated this assertion in their analysis of an attack targeting a Taiwanese tech firm that frequently works with the government and financial services industry in that country. The attackers reportedly wanted to compromise both the Taiwanese Government and financial services organizations. Rather than launch a direct attack, they crafted an email purportedly coming from the Taiwanese Ministry of Finance in an attempt to phish employees at and compromise the unnamed tech firm.
Once an attacker infiltrates the tech firm, he can leverage access given to the tech firm by the higher value targets in order to piggyback his way onto the more valuable Taiwanese Government and financial service networks.
The attack itself evades pattern-based malware detection methods by hiding its payload in an encrypted and password protected word document. In this way, attackers don’t need to develop their own zero-day exploit, but can rely on their victims to execute the malware themselves.
It may seem ineffective for an attacker to password protect his malware payload, but as from Ronghwa Chong, the senior malware and forensic engineer at FireEye explained to Threatpost via email, a password protected, encrypted word document promises to be interesting and the password, in this case, was easily guessable, so a number of users made the mistake of opening the malicious document.
In his analysis, Chong claims a number of tell-tale signs indicate that this particular attack is emanating from China. You can read the more of the technical aspects of the attack in Chong’s write-up on the FireEye Malware and Intelligence Lab blog.