Security Experts:

"Clandestine Fox" Attackers Target Energy Firms via Social Media: FireEye

An advanced persistent threat (APT) group whose activities have been monitored by FireEye has started using social networks to trick the employees of targeted organizations into installing malware, the company said Tuesday.

The activities of the actors involved in what FireEye calls “Operation Clandestine Fox” were first brought to light by the security firm back in April when the group leveraged an Internet Explorer zero-day exploit in targeted attacks. In May, researchers spotted a new version of the attack specifically targeting Windows XP machines running Internet Explorer 8.

FireEye has continued to monitor the APT actors and has identified targeted attacks leveraging a popular social media platform. According to FireEye, the attackers created a fake profile for a person named “Emily”, which they used to contact the employees of various energy companies pretending to be interested in a job.

After three weeks of exchanging messages with the employee of an unnamed energy company, “Emily” sent what appeared to be a resume to his personal email address. The email attachment, a RAR archive file, contained three files: resume.pdf, readme.txt and ttcalc.exe.

Interestingly, the resume.pdf file was a copy of an actual resume taken from the Internet and just like the readme.txt file, it wasn’t actually malicious. However, the executable file was a malicious version of the TTCalc open source math calculator. When executed, ttcalc.exe opened a legitimate version of TTCalc as a decoy, but it also dropped a couple of malicious files, including Backdoor.APT.CookieCutter, a backdoor from the Pirpi family.

After analyzing “Emily’s” profile, FireEye found a fake education history, and several contacts at the targeted energy company. FireEye also determined that the attackers had used the profile to contact other employees of the same company and people from other energy firms in an effort to get details about the software they had been using and their IT manager.

“It’s worth emphasizing that in the instances above, the attackers used a combination of direct contact via social networks as well as contact via email, to communicate with their intended targets and send malicious attachments. In addition, in almost all cases, the attackers used the target’s personal email address, rather than his or her work address,” FireEye’s Mike Scott noted in a blog post.

“This could be by design, with a view toward circumventing the more comprehensive email security technologies that most companies have deployed, or also due to many people having their social network accounts linked to their personal rather than work email addresses.”

In a different attack launched by the same group, researchers discovered an archive file containing a resume in PDF format and a password-protected self-extracting archive named SETUP.exe. This archive stored a malicious version of TTCalc designed to drop Backdoor.APT.Kaba (PlugX/Sogu).

“Although this backdoor is used by multiple threat groups and is quite commonly seen these days, this is the first time we’ve observed this particular threat group using this family of malware,” Scott noted.

FireEye has linked these attacks to the actors behind Operation Clandestine Fox based on the assumption that Backdoor.APT.CookieCutter has been used exclusively by this particular group. Furthermore, one of the command and control domains utilized in this operation had been seen before in Clandestine Fox.

Late last month, cyber intelligence firm iSIGHT Partners shared details of an operation that involved Iranian threat actors who used more than a dozen fake personas on popular social networking sites to conduct a wide-spanning cyber espionage operation that had been active since 2011.

“Using social media is both a way of establishing false bona fides while presenting a well accepted vector for reaching targets,” Anup Ghosh, founder and CEO of Invincea, told SecurityWeek recenty. “A simple LinkedIn or Twitter update with a link, or a timely email from a connection with embedded link or attachment is enough to compromise the intended target's machine, accounts, data, and enterprise network.”

This is not surprising as every major foreign adversary is leveraging social media as a cyber attack vector,” added James C. Foster, CEO  of ZeroFOX.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.