Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Cybercriminals Use Macro-based Attack to Target Money-Rich Industries

Researchers from Cisco Systems have been monitoring the activities of a threat actor whose operations are aimed at high profile, money-rich industries such as oil, jewelry, banking and television.

Researchers from Cisco Systems have been monitoring the activities of a threat actor whose operations are aimed at high profile, money-rich industries such as oil, jewelry, banking and television.

According to Cisco, the attacks launched by the group start with a spear phishing email that appears to be an invoice, a receipt or a purchase order. The malicious emails have a Microsoft Word document attached to them and look fairly standard, but the attachment is not currently blocked by most antivirus engines.

When the document is opened, an “On-Open” macro written in Visual Basic for Applications (VBA) is run, and a malicious file is downloaded and executed on the victim’s computer. In an attack aimed at a company that focuses on research and manufacturing, the executable contacted three domains: dl.dropboxusercontent.com,  londonpaerl.co.uk and selombiznet.in.

dl.dropboxusercontent.com is a legitimate Dropbox domain which the attackers have used to host four different components of the exploit payload, while londonpaerl.co.uk and selombiznet.in have been utilized as command and control (C&C) servers, Cisco said.

Researchers have determined that londonpaerl.co.uk is a typosquat of londonpearl.co.uk, the official website of pearls and pearl jewelry supplier London Pearl. An analysis of the fake website, which claims to belong to an employment agency, has shown that the threat group has been operational since at least 2007.

Based on domain “whois” information, Cisco has managed to identify several other domains used by the attackers for their malicious activities, including londonpearl-uk.co, france24.in, hussainscan.com and mylovekemy.in. The londonpearl-uk.co domain was used in May in attacks aimed at a single organization involved in industrial manufacturing. At the time, Cisco blocked five backdoor components used in the attacks which took place on the same day, within a 90-minute timeframe.

“During the investigation, we identified several different campaigns believed to be associated with this threat actor involving many other pieces of malware. Many of the domains appear to be suspended presumably due to past malicious activity,” Craig Williams, technical leader for Cisco threat research, wrote in a blog post.

“In fact, during the investigation the threat actor changed the information on some of the domains several times. Luckily, if you monitor whois history you can still view all of this information, including the evasion attempt.  While we were performing the investigation, items like addresses, email addresses, and such were changed, literally, in between browser refreshes.”

Advertisement. Scroll to continue reading.

Cisco’s blog post doesn’t contain any information on the geographical distribution of victims, but the company’s representatives told SecurityWeek that they’re seeing a clear focus on Europe.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.