Connect with us

Hi, what are you looking for?



Websense Employees Targeted With Fake Raytheon Acquisition Emails

US defense contractor Raytheon announced earlier this month that it’s prepared to acquire network security firm Websense in a $1.9 billion deal. Malicious actors have leveraged this announcement in an attempt to trick Websense employees into installing a piece of malware on their computers.

US defense contractor Raytheon announced earlier this month that it’s prepared to acquire network security firm Websense in a $1.9 billion deal. Malicious actors have leveraged this announcement in an attempt to trick Websense employees into installing a piece of malware on their computers.

According to Websense, malicious emails with the subject line “Welcome to join Raytheon” started landing in employees’ inboxes on April 23, just three days after the announcement was made. The body of the emails read, “Welcome to join Raytheon. The password is 123qwe.”

The fake messages, which appeared to come from a email address, carried an archive containing three files: a Kaspersky installer signed with a now invalid Kaspersky certificate (setup.exe), a dynamic-link library file (msi.dll), and a Windows installer (setup.msi).

The Kaspersky setup file is legitimate and it’s designed to load the legitimate msi.dll file from the system during the installation of the security product. However, by placing the malicious msi.dll file in the same directory as the setup.exe file, the attackers ensured that it would get executed. Once executed, the malicious msi.dll would launch the Windows installer.

This technique, known as DLL side-loading, is used by threat actors to avoid detection. The technique was previously used by the advanced persistent threat (APT) actor known as Deep Panda. The group, said to be linked to the Chinese government, is believed to have targeted defense contractors and the healthcare industry, including health insurance giant Anthem. However, the fact that this technique has been used doesn’t necessarily mean that a Chinese group is behind the attack.

“While DLL side-loading has been used by groups linked to China such as Deep, there are no clear indicators that allow us to attribute this attack to a given group,” Websense told SecurityWeek. “While the DLL Side-Loading technique has made headlines due to groups such as Deep Panda, the vulnerability has been available since 2008 and is not used exclusively by these malicious actors.”

The malware used in the attack on Websense is designed to create a registry entry for persistence, send DNS queries to a domain controlled by the attackers, and communicate with a remote server on port 80 via a non-encrypted channel.

Advertisement. Scroll to continue reading.

Websense says its employees are protected against such threats. Furthermore, the company has pointed out that the bogus emails raised red flags because their subject line was grammatically incorrect, they didn’t contain an introduction to the sender or any branding, the body only consisted of two short sentences, and they had a ZIP file attached to them.

Upon closer investigation, Websense determined that the sender’s address was spoofed — the email didn’t actually come from a Raytheon domain, but from a Japanese domain.

“The recommendation is to always remain cautious of attachments and links in email and ensure a raised level of alertness during times of acquisition. The attackers will not pass up any opportunity, and it only takes one click to get infected,” Websense warned in a blog post.

While in this particular attack the malicious actors attempted to leverage social engineering and the DLL side-loading technique in an attempt to deliver malware, experts warn that there are other methods that could be used to target Websense and the company’s customers.

The Dutch security firm Securify has identified several vulnerabilities in Websense products. Earlier this month, the company published a video to demonstrate how a malicious actor could remotely exploit a combination of cross-site scripting (XSS) and command injection vulnerabilities in Websense data security products to execute a malicious payload.

Websense has addressed the vulnerabilities reported by Securify, but the Dutch company has pointed out that security bugs in such products can be dangerous.

“Day after day security researcher are finding low-hanging-fruit vulnerabilities in appliances of security vendors that are famous for publishing Cybercrime Trend Reports. The total number of critical findings is concerning especially given that these are security products or are used to enforce security policies. We would expect that these products are built with a big focus on security (SDLC); this is clearly not the case,” Securify co-founder Han Sahin told SecurityWeek.

*Updated with statement from Websense on attribution

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...


The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


Reddit says its systems were hacked following a sophisticated phishing attack aimed at employees.