Researchers from Blue Coat Systems said on Wednesday that they have identified an online attack framework that is being used in highly targeted attacks on executives in industries like oil, finance and engineering as well as military officers, diplomats and government officials.
The attacks are designed to steal sensitive information and Blue Coat, in a report, said that the attackers went to extreme lengths to cover their tracks: routing all communications between the hackers and the compromised systems they controlled through a “convoluted network of router proxies and rented hosts” in countries like South Korea.
The framework, dubbed “Inception” is global in scope, but appears to have started out targeting individuals in Russia. Attacks spread via phishing e-mail messages that contained malicious attachments, including key logging tools and remote access Trojan horse programs, BlueCoat said. The company has released a full report on the incident, which can be found here. (PDF)
[Read more Security Ledger coverage of APT-style attacks here.]
The attacks date to late August and made use of exploits for two known vulnerabilities: a Rich Text Format (RTF) vulnerability (CVE-2014-1761) affecting Microsoft’s Word program, which was revealed in March, 2014, and another vulnerability: CVE-2012-0158, that was commonly exploited in targeted attacks. On the back end, the attackers leveraged a cloud based hosting service, CloudMe, to store configuration and other files related to the malware.
According to Blue Coat, the attack began by targeting executives in the finance sector in Russia as well as oil and energy industry executives in countries like Romania, Venezuela and Mozambique. Embassies and diplomats from a variety of countries were targeted, as well, Blue Coat reported.
Phishing e-mails sent to the targeted individuals included photos harvested from Russian language web sites and names like photo.doc. Opening the documents launched code exploiting the two vulnerabilities, CVE-2012-0158 an ActiveX Buffer Overflow and CVE-2014-1761.
While all that is common enough, Blue Coat says that the steps taken by attackers to add indirection to their activities is exceptional and suggests the involvement of a sophisticated cyber criminal or state sponsored group. Specifically, the group behind Inception relied on a proxy network compromised routers, most in South Korea, to handle their command and control communication. Blue Coat believes the attackers were able to compromise these devices based on poor configurations or default credentials.
“Based on the multiple layers of obfuscation and indirection in the malware, along with the control mechanisms between attacker and target, it is clear the attackers behind Inception are intent on staying in the shadows,” the company wrote.