Connect with us

Hi, what are you looking for?



Stealthy ‘Inception’ Attackers Hide Behind Layers of Obfuscation

Researchers at Blue Coat Systems have identified a stealthy cyber-espionage framework that has been used to target organizations around the world.

Researchers at Blue Coat Systems have identified a stealthy cyber-espionage framework that has been used to target organizations around the world.

The framework, dubbed Inception, has been linked to attacks on individuals in industries ranging from oil to finance as well as government and military officials. When the attacks began, they focused on targets located in Russia or related to Russian interests. Since then however, the attacks have spread to other locations around the globe, according to Blue Coat (PDF).

But the most interesting aspect of Inception may not necessarily be the targets, but the sneaky way the attackers went about their business by leveraging home routers and a cloud service for obfuscation.

Advertisement. Scroll to continue reading.

The attackers have been using, a cloud service provider based in Sweden, for its main command-and-control infrastructure. offers both free and paid WebDAV cloud storage, and the attackers leverage the WebDAV protocol to send instructions and receive exfiltrated data from compromised systems. This hides the identity of the attacker and can bypass many current detection mechanisms, according to Blue Coat.

“WebDAV is a communication standard that allows file management over HTTP or HTTPS,” Blue Coat researchers noted in their report. “Windows allows WebDAV sessions to be mapped as network resources. The use of WebDAV as the communication channel is atypical for most malware samples we see. By using a network resource, the actual web traffic originates from the system itself, and not from the process in which the malware resides. Additionally, once the resource is established, the malware can transfer files to and from the command and control servers using standard file IO commands.”

To add another layer of obfuscation, the attackers used a proxy network of compromised home routers – most of which are based in South Korea – for their command and control communication. Many of the routers were Tera-EP wireless routers, but other products such as ASUS wireless routers were impacted as well. The attackers were likely able to compromise these devices due to poor configuration or default credentials, Waylon Grange, senior malware researcher at Blue Coat, told SecurityWeek.

“There clearly is a well-resourced and very professional organization behind Inception, with precise targets and intentions that could be widespread and harmful,” he said. “The complex attack framework shows signs of automation and seasoned programming, and the number of layers used to protect the payload of the attack and to obfuscate the identity of the attackers is extremely advanced, if not paranoid. Based on the multiple layers of obfuscation and indirection in the malware, along with the control mechanisms between attacker and target, it is clear the attackers behind Inception are intent on staying in the shadows.”

The attackers used spear phishing emails to hook their victims.

“Initial malware components have, in all cases that Blue Coat has observed, been embedded in Rich Text Format (RTF) files,” according to a blog post by Grange and fellow Blue Coat researcher Snorre Fagerland. “Exploitation of vulnerabilities in this file format is leveraged to gain remote access to victim’s computers. These files are delivered to the victim via phishing emails with exploited Word documents attached. When the user clicks on the attachment, a Word document is displayed to avoid arousing suspicion from the user while malicious content stored inside the document in encoded form writes to their disk. Unusual for many exploit campaigns, the names of the dropped files vary and have been clearly randomized in order to avoid detection by name.”

The malware gathers system information from the infected machine, including the OS version as well as system drive and volume information. All of this system information is encrypted and sent to cloud storage via WebDAV. The framework is designed in such a way that all communication after the malware infection can be performed via the cloud service, Blue Coat explained.

“The malware components of this framework follow a plug-in model, where new malware rely on already existing malware components to interact with the framework,” the researchers blogged. “Without the initial installer, none of the subsequent separate modules will work, and most of these will only exist in memory – vanishing at reboot.”

In addition to PCs, the attackers also created malware designed to target Android, BlackBerry and iOS devices.

Attribution is always hard, and in this case it is exceedingly difficult, Grange told SecurityWeek.

“Based on the attributes of the attack and the targeting of individuals connected with national political, economic and military interests, the party behind Inception could be a medium-sized nation state, or possibly a resourceful and professional private entity,” he said.

Blue Coat recommends that organization look for unauthorized WebDAV traffic and regsvr32.exe continuously running in the process list.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


ENISA and CERT-EU warn of Chinese threat actors targeting businesses and government organizations in the European Union.