Researchers at FireEye have identified a new targeted attack, currently hitting organizations in Australia, in order to deliver payloads designed to open remote access and steal information.
The malware discovered by FireEye goes to several lengths to remain hidden, and uses a chained process to attack its victim. According to FireEye, the victims in this attack were hand picked, with the opening stage of the attack itself coming via email.
The companies being targeted were selected for unknown reasons, but the attackers are using malicious URLs embedded within the emails that link to a C&C (Command and Control) domain that uses the name of the victim or the name of a current project that is being worked on as an attempt at legitimacy.
Once the victim visits one of the C&C domains, the host revives instructions as “base64 encoded strings using a custom character set, which is further scrambled using a custom-scrambling algorithm,” FireEye reported.
After that, a base64-encoded executable embedded in an HTML page is downloaded and ran on the host.
“In our experiment, since the CnC was not responding, we supplied an encoded notepad.exe in the response. The malware successfully decoded notepad.exe and launched it as setup.exe on the compromised machine,” FireEye explained.
“We have observed many variants of this malware; some even try sending hostname and IP address information back to its CnC as part of its User-Agent string in the GET request. One of the variants we observed had “IPhone 8.5” in the UA string, which we found interesting.”
It’s worth mentioning that FireEye’s findings included a list of malware that was previously disclosed by Mandiant in their APT1 report. An indexed list of the APT1 malware can be seen here.