Attackers, purportedly hailing from Korea, have been targeting individuals in Russia’s aerospace, IT, education and telecommunication industries with hopes of extracting their passwords and credentials.
According to a post on FireEye’s Malware Intelligence Lab by researchers Alex Lanstein and Ali Islam, the attacks are coming in the form of a rigged Cyrillic Word file. That malicious file, nicknamed “Sanny” by the researchers, looks clean but actually drops another executable, along with a pair of .DLL files when the exploit is launched.
The attack goes on to leverage a Korean message board, nboard.net, as its command and control (C+C) channel, or if unavailable, checks mail connectivity via a Korean Yahoo mail server and the emails “mailboote AT yahoo.co.kr” and “jbaksanny AT yahoo.com.” This, along with the fact the SMTP mail server and CnC are in Korea, leads FireEye to believe the attacks are emanating from that country. The blog goes on to note two fonts used in the Word document, Batang and KP CheongPong, are Korean too.
Once finally in, it’s clear to see what information the malware has harvested from the infected computer. Lists of Microsoft Outlook accounts along with data from Firefox, including usernames and passwords for sites like Hotmail and Facebook are collected. FireEye posted the following image of the malware collecting information (including the victim’s location) before shipping it off to the C+C server:
While all of the attack’s victims are visible in plain-text, the stolen data is encoded and sent to the C+C server via HTTP POST where it’s monitored and deleted what appears to be every two days.
“It looks like the attacker has a two-day cycle, i.e., after every two days, he/she collects the stolen data and deletes it from the CnC server. In the last five days, the attacker collected and deleted the data three times approximately after every two days,” according to FireEye.
After scouring IP addresses from victim logs, FireEye deduced that individuals in the Russian space research industry, information industry, education industry and the telecommunication industry are all being implicated by the attacks, which as of yesterday at least, continue to persist.