Security Experts:

Websense Employees Targeted With Fake Raytheon Acquisition Emails

US defense contractor Raytheon announced earlier this month that it’s prepared to acquire network security firm Websense in a $1.9 billion deal. Malicious actors have leveraged this announcement in an attempt to trick Websense employees into installing a piece of malware on their computers.

According to Websense, malicious emails with the subject line “Welcome to join Raytheon” started landing in employees’ inboxes on April 23, just three days after the announcement was made. The body of the emails read, “Welcome to join Raytheon. The password is 123qwe.”

The fake messages, which appeared to come from a raytheon.com email address, carried an archive containing three files: a Kaspersky installer signed with a now invalid Kaspersky certificate (setup.exe), a dynamic-link library file (msi.dll), and a Windows installer (setup.msi).

The Kaspersky setup file is legitimate and it’s designed to load the legitimate msi.dll file from the system during the installation of the security product. However, by placing the malicious msi.dll file in the same directory as the setup.exe file, the attackers ensured that it would get executed. Once executed, the malicious msi.dll would launch the Windows installer.

This technique, known as DLL side-loading, is used by threat actors to avoid detection. The technique was previously used by the advanced persistent threat (APT) actor known as Deep Panda. The group, said to be linked to the Chinese government, is believed to have targeted defense contractors and the healthcare industry, including health insurance giant Anthem. However, the fact that this technique has been used doesn't necessarily mean that a Chinese group is behind the attack.

"While DLL side-loading has been used by groups linked to China such as Deep, there are no clear indicators that allow us to attribute this attack to a given group," Websense told SecurityWeek. "While the DLL Side-Loading technique has made headlines due to groups such as Deep Panda, the vulnerability has been available since 2008 and is not used exclusively by these malicious actors."

The malware used in the attack on Websense is designed to create a registry entry for persistence, send DNS queries to a domain controlled by the attackers, and communicate with a remote server on port 80 via a non-encrypted channel.

Websense says its employees are protected against such threats. Furthermore, the company has pointed out that the bogus emails raised red flags because their subject line was grammatically incorrect, they didn’t contain an introduction to the sender or any branding, the body only consisted of two short sentences, and they had a ZIP file attached to them.

Upon closer investigation, Websense determined that the sender’s address was spoofed -- the email didn’t actually come from a Raytheon domain, but from a Japanese domain.

“The recommendation is to always remain cautious of attachments and links in email and ensure a raised level of alertness during times of acquisition. The attackers will not pass up any opportunity, and it only takes one click to get infected,” Websense warned in a blog post.

While in this particular attack the malicious actors attempted to leverage social engineering and the DLL side-loading technique in an attempt to deliver malware, experts warn that there are other methods that could be used to target Websense and the company’s customers.

The Dutch security firm Securify has identified several vulnerabilities in Websense products. Earlier this month, the company published a video to demonstrate how a malicious actor could remotely exploit a combination of cross-site scripting (XSS) and command injection vulnerabilities in Websense data security products to execute a malicious payload.

Websense has addressed the vulnerabilities reported by Securify, but the Dutch company has pointed out that security bugs in such products can be dangerous.

“Day after day security researcher are finding low-hanging-fruit vulnerabilities in appliances of security vendors that are famous for publishing Cybercrime Trend Reports. The total number of critical findings is concerning especially given that these are security products or are used to enforce security policies. We would expect that these products are built with a big focus on security (SDLC); this is clearly not the case,” Securify co-founder Han Sahin told SecurityWeek.

*Updated with statement from Websense on attribution

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.