Cybersecurity vendor Comodo has announced its tools have defeated an attack against five universities, 23 private companies and several government organisations.
The attacks took place over the past few weeks and Comodo has now published some details of what happened. The details are contained in a blog on the Comodo website.
The attackers targeted 30 mail servers in total and came from a single IP address in Brazil. It took place over a single day and is one of an increasing number of small targeted attacks. These attacks may be attempts to avoid detection or they could be about testing new approaches and techniques.
What does the malware do?
The blog says that the attackers used a multilayered approach. It began with an phishing email pretending to come from FedEx. As with a number of similar FedEx phishing attacks, it alleged that a parcel couldn’t be delivered and the user would have to visit the local FedEx store. The recipient was then asked to print out a label that was supposedly stored on a Google Drive.
According to the blog, a user clicking on the link would see: “.…the attackers’ site opens in their browser, with malicious file “Lebal copy.exe” to download.” The key here is that the address bar has: “secure, https and drive.google.com”. For most users, even those with some security awareness, this would not sound any alarms.
According to Fatih Orhan, the head of Comodo Threat Research Labs: “Phishing emails become more sophisticated and refined. Cybercriminals actively invent new methods to trick users into clicking on a bait link. As we can see from the example above, it is not so easy to distinguish a malicious file or link, even for a cybersecurity aware user.”
A suspicious user clicking on the properties of the file should see something amiss. The file has the .exe extension but the document properties claim it is an Adobe Document file.
The file hides a trojan. Comodo has identified it as TrojWare.Win32.Pony.IENG and TrojWare.MSIL.Injector.~SHI. In addition to OS and app data, these malware variants steal user credentials for email, instant messenger, FTP and cryptocurrency wallets. The malware also attempts to disable security tools on the end user machine. This allows the attackers to install other malware later.
What does this mean?
Credential mining is a core activity for a lot of cybercriminals. Users tend to reuse their ID and passwords across multiple sites both business and personal. This allows a single set of stolen credentials to be used in multiple attacks.
What is interesting about this attack is that effort put in by the attackers to fool users into thinking this is real. Users that clicked on the link saw what they expected. As a result, there was nothing obvious to stop them from downloading and then opening the file.
The solution for companies is to increase their education of users. They need to help them understand the risks of opening this type of email.