Connect with us

Hi, what are you looking for?



“Clandestine Fox” Attackers Target Energy Firms via Social Media: FireEye

An advanced persistent threat (APT) group whose activities have been monitored by FireEye has started using social networks to trick the employees of targeted organizations into installing malware, the company said Tuesday.

An advanced persistent threat (APT) group whose activities have been monitored by FireEye has started using social networks to trick the employees of targeted organizations into installing malware, the company said Tuesday.

The activities of the actors involved in what FireEye calls “Operation Clandestine Fox” were first brought to light by the security firm back in April when the group leveraged an Internet Explorer zero-day exploit in targeted attacks. In May, researchers spotted a new version of the attack specifically targeting Windows XP machines running Internet Explorer 8.

FireEye has continued to monitor the APT actors and has identified targeted attacks leveraging a popular social media platform. According to FireEye, the attackers created a fake profile for a person named “Emily”, which they used to contact the employees of various energy companies pretending to be interested in a job.

After three weeks of exchanging messages with the employee of an unnamed energy company, “Emily” sent what appeared to be a resume to his personal email address. The email attachment, a RAR archive file, contained three files: resume.pdf, readme.txt and ttcalc.exe.

Interestingly, the resume.pdf file was a copy of an actual resume taken from the Internet and just like the readme.txt file, it wasn’t actually malicious. However, the executable file was a malicious version of the TTCalc open source math calculator. When executed, ttcalc.exe opened a legitimate version of TTCalc as a decoy, but it also dropped a couple of malicious files, including Backdoor.APT.CookieCutter, a backdoor from the Pirpi family.

After analyzing “Emily’s” profile, FireEye found a fake education history, and several contacts at the targeted energy company. FireEye also determined that the attackers had used the profile to contact other employees of the same company and people from other energy firms in an effort to get details about the software they had been using and their IT manager.

“It’s worth emphasizing that in the instances above, the attackers used a combination of direct contact via social networks as well as contact via email, to communicate with their intended targets and send malicious attachments. In addition, in almost all cases, the attackers used the target’s personal email address, rather than his or her work address,” FireEye’s Mike Scott noted in a blog post.

Advertisement. Scroll to continue reading.

“This could be by design, with a view toward circumventing the more comprehensive email security technologies that most companies have deployed, or also due to many people having their social network accounts linked to their personal rather than work email addresses.”

In a different attack launched by the same group, researchers discovered an archive file containing a resume in PDF format and a password-protected self-extracting archive named SETUP.exe. This archive stored a malicious version of TTCalc designed to drop Backdoor.APT.Kaba (PlugX/Sogu).

“Although this backdoor is used by multiple threat groups and is quite commonly seen these days, this is the first time we’ve observed this particular threat group using this family of malware,” Scott noted.

FireEye has linked these attacks to the actors behind Operation Clandestine Fox based on the assumption that Backdoor.APT.CookieCutter has been used exclusively by this particular group. Furthermore, one of the command and control domains utilized in this operation had been seen before in Clandestine Fox.

Late last month, cyber intelligence firm iSIGHT Partners shared details of an operation that involved Iranian threat actors who used more than a dozen fake personas on popular social networking sites to conduct a wide-spanning cyber espionage operation that had been active since 2011.

“Using social media is both a way of establishing false bona fides while presenting a well accepted vector for reaching targets,” Anup Ghosh, founder and CEO of Invincea, told SecurityWeek recenty. “A simple LinkedIn or Twitter update with a link, or a timely email from a connection with embedded link or attachment is enough to compromise the intended target’s machine, accounts, data, and enterprise network.”

This is not surprising as every major foreign adversary is leveraging social media as a cyber attack vector,” added James C. Foster, CEO  of ZeroFOX.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...