Rostelecom-Solar specialists discovered the previously unknown hacker group TinyScouts. The company's report states that the group is using a sophisticated attack pattern and unique malware to attack banks and energy companies.
The researchers write that at the first stage of the attack, hackers send phishing emails to employees of targeted organizations, in which the recipient is warned about the beginning of the second wave of the coronavirus pandemic, and for more information they are offered to follow the link. There are also variants of phishing emails that have a clear targeting: the message is directly related to the activities of the target organization and looks quite convincing, but it also contains a malicious link.
By clicking on such a link, the victim starts downloading the main component of the malware, which takes place in several stages. At the same time, attackers act as slowly and carefully as possible, since each step separately does not attract the attention of security services and protection systems. The download takes place over Tor, making it ineffective for such popular countermeasures as banning connections to specific IP addresses that belong to attackers' servers.
At the next stage of the attack, the malware collects information about the infected computer and transfers it to its operators. If a given infrastructure node is of no interest to hackers, then an additional module is loaded onto it – a ransomware that encrypts all information on the device and demands a ransom for decrypting the data.
It is noted that during the attack, legitimate software is also used, in particular, belonging to Nirsoft. Before the data on the computer is encrypted, it collects user passwords from browsers and email clients, leaving no noticeable traces of activity, since it does not require installation and does not form entries in the registry.
If the infected computer is of interest to cybercriminals and can serve their further purposes, additional malware is loaded onto the machine, protected by several layers of obfuscation and encryption. This malware provides attackers with remote access and full control over the infected system. It is noteworthy that the malware is written in PowerShell – this is one of the extremely rare cases when this language is not just used by cybercriminals during an attack, but is a tool for creating full-fledged malware of this class. This attack scenario provides criminals with a wide range of monetization options: withdrawal of funds, theft of confidential data, espionage, and so on.
The final decision on the attack scenario is made by the attacker after obtaining information about which organization the infected machine belongs to. According to the researchers, this indirectly indicates the planned scale of TinyScouts' activity and technical readiness for a number of simultaneous attacks on large organizations.
“TinyScouts use such malware and such delivery methods that we did not find mention of which in open sources, which means that we can make the assumption that this is the work of a new group. This fact, coupled with the number of tricks designed to go unnoticed, and the individuality of the attack scenario for each individual victim, suggests that this is not just another team organizing non-targeted mass attacks. According to our estimates, the technical skills of TinyScouts are definitely not lower than those of the group behind the Silence attacks, and in the technical aspects of delivering software to the machine, TinyScouts' victims even surpass them, although they are inferior to APT groups and government cyber troops. " noted Igor Zalevsky, head of incident investigation, Solar JSOC.