Hold off on the notion that watering hole attacks may supplant phishing as the initial means of compromise in advanced attacks. A number of recent targeted campaigns have used the crash of Malaysia Airlines 370 as a lure to infect government officials in the U.S. and Asia-Pacific.
FireEye today published research on a number of spear phishing attacks that contained either infected attachments or links to malicious websites. One Chinese group, admin@338, has been active in the past targeting international financial firms that have expertise in analyzing global economic policies. Two days after flight 370 was reported missing, a spear phishing email was sent to government officials in Asia-Pacific, FireEye said, with an attachment referring to the missing airliner.
Users who clicked on the attachment saw a blank document, while in the background a variant of the Poison Ivy Trojan was installing and eventually established a backdoor to www[.]verizon[.]proxydns[.]com. This group has used both Poison Ivy and this domain in previous attacks, FireEye said.
Poison Ivy has some miles on it, but security researchers say hacker groups, in particular some with ties to China, continue to make use of it. The malware is a remote access Trojan that allows attackers to not only set up backdoor communication with infected machines, but push additional malicious code, steal documents and system information, and pivot internally.
FireEye said it monitored a second attack from the admin@338 group which targeted a “U.S.-based think tank” on March 14. The malicious attachment pretended to be a Flash video related to the missing plane and attached a Flash icon to the executable, researchers said.
This version of Poison Ivy connected to its command and control at dpmc[.]dynssl[.]com:443 and www[.]dpmc[.]dynssl[.]com:80, FireEye said, adding that the phony Verizon domain used in the first attack also resolved to an IP used by this attack as well.
Admin@338 is not the only hacker group using the Malaysia tragedy to its advantage. On March 9, a malicious executable disguised as a PDF connected to a command and control server at net[.]googlereader[.]pw:443. The victim is shown a phony PDF purporting to be a CNN story about the disappearance of the flight.
Three more samples were detected that used a Word document, or an executable, disguised as a .DOC extension, dropping an exploit for CVE-2012-0158 used in the IceFog, NetTraveler and Red October APT campaigns reported by Kaspersky Lab. All of these exploits behaved similarly, targeting high-value victims with backdoor connections.