Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Stealthy ‘Inception’ Attackers Hide Behind Layers of Obfuscation

Researchers at Blue Coat Systems have identified a stealthy cyber-espionage framework that has been used to target organizations around the world.

Researchers at Blue Coat Systems have identified a stealthy cyber-espionage framework that has been used to target organizations around the world.

The framework, dubbed Inception, has been linked to attacks on individuals in industries ranging from oil to finance as well as government and military officials. When the attacks began, they focused on targets located in Russia or related to Russian interests. Since then however, the attacks have spread to other locations around the globe, according to Blue Coat (PDF).

But the most interesting aspect of Inception may not necessarily be the targets, but the sneaky way the attackers went about their business by leveraging home routers and a cloud service for obfuscation.

The attackers have been using CloudMe.com, a cloud service provider based in Sweden, for its main command-and-control infrastructure. CloudMe.com offers both free and paid WebDAV cloud storage, and the attackers leverage the WebDAV protocol to send instructions and receive exfiltrated data from compromised systems. This hides the identity of the attacker and can bypass many current detection mechanisms, according to Blue Coat.

Advertisement. Scroll to continue reading.

“WebDAV is a communication standard that allows file management over HTTP or HTTPS,” Blue Coat researchers noted in their report. “Windows allows WebDAV sessions to be mapped as network resources. The use of WebDAV as the communication channel is atypical for most malware samples we see. By using a network resource, the actual web traffic originates from the system itself, and not from the process in which the malware resides. Additionally, once the resource is established, the malware can transfer files to and from the command and control servers using standard file IO commands.”

To add another layer of obfuscation, the attackers used a proxy network of compromised home routers – most of which are based in South Korea – for their command and control communication. Many of the routers were Tera-EP wireless routers, but other products such as ASUS wireless routers were impacted as well. The attackers were likely able to compromise these devices due to poor configuration or default credentials, Waylon Grange, senior malware researcher at Blue Coat, told SecurityWeek.

“There clearly is a well-resourced and very professional organization behind Inception, with precise targets and intentions that could be widespread and harmful,” he said. “The complex attack framework shows signs of automation and seasoned programming, and the number of layers used to protect the payload of the attack and to obfuscate the identity of the attackers is extremely advanced, if not paranoid. Based on the multiple layers of obfuscation and indirection in the malware, along with the control mechanisms between attacker and target, it is clear the attackers behind Inception are intent on staying in the shadows.”

The attackers used spear phishing emails to hook their victims.

“Initial malware components have, in all cases that Blue Coat has observed, been embedded in Rich Text Format (RTF) files,” according to a blog post by Grange and fellow Blue Coat researcher Snorre Fagerland. “Exploitation of vulnerabilities in this file format is leveraged to gain remote access to victim’s computers. These files are delivered to the victim via phishing emails with exploited Word documents attached. When the user clicks on the attachment, a Word document is displayed to avoid arousing suspicion from the user while malicious content stored inside the document in encoded form writes to their disk. Unusual for many exploit campaigns, the names of the dropped files vary and have been clearly randomized in order to avoid detection by name.”

The malware gathers system information from the infected machine, including the OS version as well as system drive and volume information. All of this system information is encrypted and sent to cloud storage via WebDAV. The framework is designed in such a way that all communication after the malware infection can be performed via the cloud service, Blue Coat explained.

“The malware components of this framework follow a plug-in model, where new malware rely on already existing malware components to interact with the framework,” the researchers blogged. “Without the initial installer, none of the subsequent separate modules will work, and most of these will only exist in memory – vanishing at reboot.”

In addition to PCs, the attackers also created malware designed to target Android, BlackBerry and iOS devices.

Attribution is always hard, and in this case it is exceedingly difficult, Grange told SecurityWeek.

“Based on the attributes of the attack and the targeting of individuals connected with national political, economic and military interests, the party behind Inception could be a medium-sized nation state, or possibly a resourceful and professional private entity,” he said.

Blue Coat recommends that organization look for unauthorized WebDAV traffic and regsvr32.exe continuously running in the process list.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...