Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

FireEye Details Malware Attack Targeting Russian Interests

Researchers from FireEye shared details on Monday of an attack that appears to be after targets in Russia, and seems to be originating from an attacker in Korea.

Researchers from FireEye shared details on Monday of an attack that appears to be after targets in Russia, and seems to be originating from an attacker in Korea.

According to FireEye, the attack is rather standard, and is delivered by a malicious Microsoft Word document attached to an email. The exploit drops an executable, which then drops another .EXE and two .DLLs. These files then “create multiple components that aggravate AV detection and cleanup,” FireEye said. A clean, legitimate document is embedded inside the malicious document, and launched after the exploit is successful, FireEye added.

Cyber Attacks Targeting RussiaFireEye named the malware “Sanny” for the simple reason that an email address used by the attacker was “[email protected]om”.

The document was targeting users whose language is in the Cyrillic character set which is used in Russia, but also by many millions of users in Europe and Asia. In 2011 approximately 252 million people in Europe and Asia used Cyrillic—about half of those being in Russia. 

From what FireEye researchers can see, compromised systems appear to be a mix of malware analysts and legitimate users, indicating that the malware has popped up on the radar screens of other security firms as well.

Security Resource: Download the Advanced Malware Survival Kit

During their analysis, FireEye researchers combed through the full list of IP addresses scraped from the victim logs. Some of them are AV companies or security researchers, they said, but the majority are believed to be real victims in Russia. Based on what was found, targets appear to include Russian Space Research, information, education and telecommunications industries.

The malware is stealing many different types of passwords/credentials from victims’ machines, including the extraction of MS Outlook accounts and accounts data, along with stealing username/passwords that Firefox remembers for different web services such as Hotmail, Facebook, etc.

The command and control channel is embedded on “nboard.net”, a legitimate Korean message board, FireEye said. The malware also contains a fallback mechanism so that if the message board is unavailable, it attempts to check mail connectivity through a Korean Yahoo! mail server.

“At another segment we observed malware stealing username/passwords that Firefox remembers Apart from stealing different types of credentials, it also profiles the victims, e.g., collecting the victim_locale, victim_region, and other relevant information,” FireEye researchers Alex Lanstein and Ali Islam noted in the blog post.

In any attack, attribution is always challenging, but FireEye has strong reasons to believe that this attack originated from Korea, or at least that the author of the malware is well versed in the Korean language. To start, the SMTP mail server and Command and Control server are in Korea. Additionally, Korean fonts “Batang” and “KP CheongPong” were used in the document. Furthermore, the attacker used a Korean message board as the C&C, indicating that it’s likely that either he or she is a native speaker or is at least comfortable with the Korean language, FireEye noted.

“The attacker is continuously monitoring the CnC to check new victims and their stolen data,” the researchers noted. “It looks like the attacker has a two-day cycle, i.e., after every two days, he/she collects the stolen data and deletes it from the CnC server. In the last five days, the attacker collected and deleted the data three times approximately after every two days.”

The command and control server was still operational and and receiving data from different victims as of Monday.

Related Resource: Download the Advanced Malware Survival Kit

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.