Industrial production companies are the targets in a large-scale spear-phishing email campaign aimed at installing legitimate remote administration software on victims’ systems.
Researchers with Kaspersky Lab said that emails purporting to be commercial offers were the conduit to enabling attackers to gain remote control of the systems for financial gain.
“According to the data available, the attackers’ main goal is to steal money from victim organizations’ accounts,” the researchers said in a post on Wednesday. “When attackers connect to a victim’s computer, they search for and analyze purchase documents, as well as the financial and accounting software used. After that, the attackers look for various ways in which they can commit financial fraud, such as spoofing the bank details used to make payments.”
Researchers observed a spate of these types of emails starting in November 2017 — and the campaign is ongoing, having targeted up to 400 industrial companies located in Russia. The phishing emails are well-designed, with some purporting to be invitations to tender from large industrial companies, researchers said.
Attackers have paid careful attention to detail in the content of each email, accurately reflecting the activity of the targeted organization and the type of work performed by the employee to whom the email is sent. This suggests a high level of reconnaissance work.
“It is worth noting that the attackers addressed an employee of the company under attack by his or her full name,” researchers said. “This indicates that the attack was carefully prepared and an individual email that included details relevant to the specific organization was created for each victim.”
Some of these emails contain malicious attachments, packed into their archives; others have no attachments, but with message text designed to lure users into links that lead to external resources, and then downloading malicious objects from those resources.
“There are several known ways in which the malware can be installed in a system,” researchers said. “Malicious files can be run either by an executable file attached to an email or by a specially crafted script for the Windows command interpreter.”
RMS vs TeamViewer
Regardless of the installation method, all emails kicked off malicious processes that install one of two types of legitimate remote administration software – either TeamViewer or Remote Manipulator System/Remote Utilities (RMS).
For both, malicious code is injected into the process by substituting a malicious library for system DLL.
The malicious library includes the system file winspool.drv, which is located in the system folder and is used to send documents to the printer. Once loaded, winspool.drv decrypts configuration files prepared by the attackers, including software settings and the password for remotely controlling the machine.
In the case of RMS, one of the configuration files contains an email address to which information about the infected system is sent (including computer name, user name and the RMS machine’s internet ID).
TeamViewer software is different in that information from infected systems is sent to malware command-and-control servers rather that via email. It has a file in its malicious library containing various parameters, such as the password used for remotely controlling the system and a URL of the attackers’ command-and-control server. Unlike RMS, Team Viewer also uses a built-in VPN to remotely control a computer located behind NAT.
After infecting victims’ computers, attackers use either tool to take control and search for purchase documents, or financial and accounting software. After that, there are various ways they can commit financial fraud, including spoofing the bank details used to make payments.
Researchers said that industrial companies are more enticing as a target for cybercriminals due to widespread security weaknesses in their operational technology systems.
“This choice on the part of the cybercriminals could be explained by the fact that the threat-awareness and cybersecurity culture in industrial companies is inferior to that in companies from other sectors of the economy (such as banks or IT companies),” they said.
Also concerning is the use of legitimate remote administration software to evade detection by antivirus solutions, a trend that researchers said will continue: “Remote administration capabilities give criminals full control of compromised systems, so possible attack scenarios are not limited to the theft of money. In the process of attacking their targets, the attackers steal sensitive data belonging to target organizations, their partners and customers, carry out surreptitious video surveillance of the victim companies’ employees, and record audio and video using devices connected to infected machines.”