Kaspersky ICS CERT experts have discovered a series of targeted attacks on organizations located in different countries of the world. At the beginning of May 2020, there were known cases of attacks on systems in Japan, Italy, Germany and the UK. Among the victims of the attacks were, inter alia, suppliers of equipment and software for industrial enterprises.
As an initial vector of the attack, the attackers use phishing emails with text written in the target language for each specific victim. Moreover, the malware used in this attack performs destructive activity only if the operating system has localization corresponding to the language used in the phishing email. For example, in the event of an attack on a company from Japan, the phishing message text and the Microsoft Office document containing the malicious macro are written in Japanese, and in order to successfully decrypt the malware module, the OS must have Japanese localization.
Researchers report that attackers use the Mimikatz utility to steal authentication data from an infected system and develop an attack within the enterprise’s network, but the ultimate goal of the criminals remains unknown, and the investigation is ongoing.
Interestingly, the macros from the mentioned malicious documents decode and run the PowerShell script (HEUR: Trojan.PowerShell.Generic), which randomly selects one of the URLs stored in it that lead to public image hosting services (imgur.com and imgbox.com). From there, the image located by the link is downloaded and the data extraction procedure begins.
The data is hidden in the image using steganography methods and is extracted by the malware from the pixels whose numbers are set by the algorithm. The use of steganography allows attackers to circumvent some security features, in particular, network traffic scanners.
The data extracted from the image is sequentially encoded with the Base64 algorithm, encrypted with the RSA algorithm, and Base64 encoded again. Analysts note that the exception text is used as the decryption key, and for this the script code intentionally contains an error. In this case, the text of the exception will depend on the localization of the operating system – most likely, a malicious script in each specific attack is prepared by attackers for victims from a certain country.
The decrypted and decoded data is another PowerShell script that is executed. It also decodes part of its contents using Base64, after which it decompresses the resulting data buffer using the Deflate algorithm. As a result, the malware receives another PowerShell script – an obfuscated instance of the Trojan-PSW.PowerShell.Mimikatz malware.
As mentioned above, the Mimikatz utility and its analogues are used by cybercriminals to steal the authentication data of Windows accounts stored on a compromised system. This information can be used to gain access to other systems within the enterprise network and to develop an attack. A particularly dangerous situation is getting into the hands of cybercriminals data accounts that have domain administrator rights.
The expert summarizes that the application of the described methods, as well as the point-like nature of infections indicate a targeted attack. It is also of concern to experts that contractors of industrial enterprises are present among the victims of the attack. If the authentication data of contractor organization employees fall into the hands of attackers, this can lead to many negative consequences, from theft of confidential data to attacks on industrial enterprises through remote administration tools used by the contractor.