It is becoming more common for threat actors to shun sophisticated and expensive attack techniques like zero-day vulnerabilities, in favour of extremely targeted social engineering campaigns in combination with known effective malicious techniques.
As a result, they are able to leverage malicious campaigns that are extremely difficult to detect with regular corporate grade security solutions, according to Kaspersky Lab researchers.
This shift in how threat actors operate demonstrates that, in general, modern organisations’ IT infrastructure contains enough weaknesses to potentially allow attackers with relatively inexpensive attack toolsets to achieve their criminal goals.
Microcin, a malicious campaign recently researched by Kaspersky Lab specialists, is an example of such an inexpensive but dangerous attack.
The study started when Kaspersky Anti Targeted Attack Platform (KATA) discovered a suspicious RTF-file. The file included an exploit (malware that exploits security weaknesses in widely used software to install additional malicious components) to a known and already patched vulnerability in Microsoft Office.
It is not uncommon for regular cybercriminals to use exploits of known vulnerabilities to infect victims with general, massively distributed malware. But, as deeper research showed, this particular RTF-file didn’t belong to another large infection wave, but to a much more sophisticated and highly targeted campaign.
The suspicious spear-phishing document was distributed through sites for a very specific group of people: forums for discussing issues related to obtaining subsidised housing — an exemption available mostly for employees of government and military organisations in Russia and some neighbouring countries.
When the exploit is triggered, malware with a modular structure is installed on the target computer. The module installation is carried out through malicious injection into iexplorer.exe and the auto run of this module is completed through dll-hijacking. Both are known and widely used malicious techniques.
Finally, when the main module is installed, some additional modules are downloaded from the command and control server. At least one of them uses steganography — the practice of concealing information within seemingly non-harmful files, like images, yet another known malicious technique for stealthy data transferring.
Once the whole malicious platform has been deployed, the malware searches for files with extensions like .doc, .ppt, .xls, .docx, .pptx, .xlsx, .pdf, .txt and .rtf., which are then packed in a password-protected archive and transferred to the attack operators.
In addition to the use of known infection and lateral movement techniques, while conducting the operation attackers actively use known backdoors which have been seen in previous attacks and also use legitimate tools created for penetration testing and not generally detected as being malicious by security solutions.
“If taken and analysed in parts, this attack is nothing serious,” says Alexey Shulmin, lead malware analyst at Kaspersky Lab. “Almost any component has been well documented by the security industry, and is relatively easy to spot. However, they are combined in a way that makes the attack tricky to detect.
“More importantly, this malicious campaign is not one of a kind. It seems that some cyberespionage threat actors shift their focus from developing hard-to-detect malicious tools, to planning and delivering sophisticated operations, which may not involve complex malware, but still be dangerous.”
To protect their IT infrastructure from attacks like Microcin, Kaspersky Lab experts advise organisations to use security tools that allow the detection of malicious operations, rather than malicious software.
