Cybercriminals Use Macro-based Attack to Target Money-Rich Industries

Researchers from Cisco Systems have been monitoring the activities of a threat actor whose operations are aimed at high profile, money-rich industries such as oil, jewelry, banking and television.

According to Cisco, the attacks launched by the group start with a spear phishing email that appears to be an invoice, a receipt or a purchase order. The malicious emails have a Microsoft Word document attached to them and look fairly standard, but the attachment is not currently blocked by most antivirus engines.

When the document is opened, an “On-Open” macro written in Visual Basic for Applications (VBA) is run, and a malicious file is downloaded and executed on the victim’s computer. In an attack aimed at a company that focuses on research and manufacturing, the executable contacted three domains: dl.dropboxusercontent.com,  londonpaerl.co.uk and selombiznet.in.

dl.dropboxusercontent.com is a legitimate Dropbox domain which the attackers have used to host four different components of the exploit payload, while londonpaerl.co.uk and selombiznet.in have been utilized as command and control (C&C) servers, Cisco said.

Researchers have determined that londonpaerl.co.uk is a typosquat of londonpearl.co.uk, the official website of pearls and pearl jewelry supplier London Pearl. An analysis of the fake website, which claims to belong to an employment agency, has shown that the threat group has been operational since at least 2007.

Based on domain “whois” information, Cisco has managed to identify several other domains used by the attackers for their malicious activities, including londonpearl-uk.co, france24.in, hussainscan.com and mylovekemy.in. The londonpearl-uk.co domain was used in May in attacks aimed at a single organization involved in industrial manufacturing. At the time, Cisco blocked five backdoor components used in the attacks which took place on the same day, within a 90-minute timeframe.

“During the investigation, we identified several different campaigns believed to be associated with this threat actor involving many other pieces of malware. Many of the domains appear to be suspended presumably due to past malicious activity,” Craig Williams, technical leader for Cisco threat research, wrote in a blog post.

“In fact, during the investigation the threat actor changed the information on some of the domains several times. Luckily, if you monitor whois history you can still view all of this information, including the evasion attempt.  While we were performing the investigation, items like addresses, email addresses, and such were changed, literally, in between browser refreshes.”

Cisco’s blog post doesn’t contain any information on the geographical distribution of victims, but the company’s representatives told SecurityWeek that they’re seeing a clear focus on Europe.