A threat actor active since at least 2017 has been mainly targeting victims with information stealers and remote access Trojans (RATs), Cisco’s Talos security researchers explain.
Referred to as SWEED, the group has been observed using malware such as Formbook, Lokibot and Agent Tesla, consistently distributing those via spear-phishing emails with malicious attachments across its campaigns.
One of the earliest identified SWEED operations leveraged droppers inside ZIP archives to distribute a packed version of the Agent Tesla spyware. Steganography was used to decode a .NET executable that used the same technique to retrieve the final payload, Talos reveals.
In early 2018, the actor was using Java-based droppers to obtain information about the target system and facilitate the download of Agent Tesla.
In April last year, the actor started employing an exploit for the Office vulnerability tracked as CVE-2017-8759. A PowerPoint document (PPXS) containing code to trigger the remote code execution vulnerability in Microsoft .NET Framework was used.
In May 2018, SWEED switched to abusing another vulnerability in Office, namely CVE-2017-11882. The bug affects the Equation Editor, a decades-old tool present in the suite.
This year, the actor was observed leveraging malicious macros in Office documents to deliver malware. Spear-phishing emails and malicious attachments continue to be used as part of the infection process, with an obfuscated VBA macro used to execute a PowerShell script that performs some checks and then downloads an AutoIT-compiled script that performs more checks and delivers Agent Tesla.
Across several of its campaigns, SWEED also used various techniques to bypass User Account Control (UAC) on the infected systems. In a campaign launched this year, a registry key pointing to the malware is created at first, then a Windows process running as high integrity is executed to use the key and bypass UAC.
The threat actor appears to be using a limited command and control (C&C) infrastructure, with the same servers repurposed across many different attacks, over long periods of time. An RDP server believed to have been actively leveraged by SWEED is being used in a multi-user capacity, the researchers note.
DDNS domains leveraged to facilitate connectivity to the shared RDP server have been also identified, along with a domain used to exfiltrate sensitive information collected by Agent Tesla, all of which show similar patterns of operation.
Several other domains that appear associated with various malware families and distribution campaigns resolve to the same server, Talos reveals. SWEED has been also observed using typosquatting for the domains hosting Agent Tesla binaries.
The group does not appear to have a geographic focus when choosing targets, as it hits companies all over the world. However, the actor appears focused on manufacturing and logistics organizations.
The security researchers were also able to identify online accounts apparently associated with the SWEED actor and customers. Eventually, they found the Skype and LinkedIn accounts of a person in Nigeria who might be a key member of the group.
“Currently, SWEED is actively targeting small and medium-sized companies around the world. Based on the TTPs used by this group, SWEED should be considered a relatively amateur actor. They use well-known vulnerabilities, commodity stealers and RATs (Pony, Formbook, UnknownRAT, Agent Tesla, etc.) and appear to rely on kits readily available on hacking forums. We assess that SWEED also does not have effective operational security,” Talos concludes.
Related: LokiBot and NanoCore Malware Distributed in ISO Image Files
