Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Multi-Stage Attacks Target Service Centers in Russia

Fortinet security researchers recently observed a series of cyber-attacks targeting Russian service centers offering maintenance and support for various electronic goods.

Fortinet security researchers recently observed a series of cyber-attacks targeting Russian service centers offering maintenance and support for various electronic goods.

The attacks stand out because of their multi-staging and are believed to have been launched by a non-Russian actor. The attackers used spear-phishing emails and malicious Office documents exploiting CVE-2017-11882, a 17 years old vulnerability in Office’s Equation Editor that Microsoft manually patched in October last year.

The targeted attack started at the end of March with spear-phishing emails received at a service company that repairs Samsung’s electronic devices. Pretending to come from representatives of Samsung, the emails specifically targeted this organization, were written in Russian, and contained a file named Symptom_and_repair_code_list.xlsx, related to the targeted company’s profile.

The emails were likely the result of machine translation, instead of being created by a native Russian speaker, the security researchers reveal. Furthermore, the headers of the email revealed that the IP address of the sender wasn’t related to the domain in the “From” field.

The attackers used different attachments for each email, but all messages had seemingly legitimate .XLSX files attached. Furthermore, all of the documents contained an exploit for the CVE-2017-11882 vulnerability.

The shellcode used in the attacks was meant to perform various tasks to gain access to the LoadLibraryA and GetProcAddress functions that allow it to execute the final payload. It also imports other functions, including one used to determine the exact location where the downloaded payload should be stored.

The payload features multiple-layer multi-packer protection, starting with an initial layer where the well-known ConfuserEx packer was used to obfuscate objects names, along with the names of methods and resources. From these resources, it reads the next stage payload, which is encrypted using DES, and executes the decrypted file.

The decrypted file, named BootstrapCS, is the second stage of the multi-layer protection. While not obfuscated, it contains multiple anti-analysis checks, with the structure “settings” in the resources section determining which checks should be performed.

Advertisement. Scroll to continue reading.

This stage can check for various emulation, sandbox, and virtual machine tools, and also searches for and shuts down specified processes, in addition to disabling system utilities. It also writes the payload path to startup registry keys, hides the file with system and hidden attributes, and injects the payload in various processes.

A binary resource named mainfile is the encrypted stage 3 of the payload. It is an executable that represents the third level of packing protection: a simple XOR algorithm with the KEY = 0x20 was used for encryption. The decrypted payload is injected into a process based on the value in the settings resource file.

The stage 3 of the payload references to a commercial Remote Administration Tool (RAT) called Imminent Monitor, which can be purchased by anyone, directly from the app developer (who apparently prohibits the malicious use of the program). At stage 4, the security researchers once again stumbled upon ConfuserEx.

The main payload of the attack, however, turned out to be the commercial version of the Imminent Monitor RAT, which includes five modules to record videos using the victim’s webcam, to spy on victims, and to control their machines.

The command and control (C&C) servers used in these attacks led the researchers to discover 50 domains registered on the same day, some of which were used to spread malware, while others for phishing attacks. The researchers also discovered older .XLSX samples that use the same C&C but attempt to exploit different vulnerabilities.

“We also noticed that the pattern of these attacks has become quite popular today. The use of exploits is more efficient than the use of simple executable files, especially since the level of threat-awareness among users has sufficiently grown in recent years. It is simply not that easy to trick a user to opening executable file as it was before. Exploits are a different case,” Fortinet concludes.

Related: Zyklon Malware Delivered via Recent Office Flaws

Related: Macro-Based Multi-Stage Attack Delivers Password Stealer

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.