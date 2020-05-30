Attackers are putting considerable skill and effort into penetrating industrial companies in multiple countries, with hacks that use multiple evasion mechanisms, an innovative encryption scheme, and custom exploits for each target with precise precision.

The attacks begin with personalized emails for each target, a researcher from security firm Kaspersky Lab reported this week. For the exploit to be activated, the language in the email must match the location of the target's operating system. For example, in the case of an attack on a Japanese company, the text of the email and a Microsoft Office attachment containing a malicious macro had to be written in Japanese. Also required: An encrypted malware module could be decrypted only when the operating system also had a Japanese location.

Recipients who click a request to urgently enable the active content of the document will see no indication that something is wrong. Behind the scenes, however, a macro runs a Powershell script. The reason it remains hidden: the command parameters:

ExecutionPolicy ByPass – to override organization policies

WindowStyle Hidden. This hides the PowerShell window

NoProfile, which runs the script without end user configuration.

Triple encoded steganography, anyone?

The PowerShell script reaches imgur.com or imgbox.com and downloads an image that has malicious code hidden within the pixels through a technique called steganography. The data is encrypted using the Base64 algorithm, encrypted with an RSA key, and then encrypted again with Base64. In a smart move, the script contains an intentional error in your code. The resulting error message that is returned, which is different for each language pack installed in the operating system, is the decryption key.

The decrypted and decoded data is used as a second PowerShell script which, in turn, unpacks and decodes another Base64 encoded data blob. With that, a third obfuscated PowerShell script runs the Mimikatz malware that is designed to steal the credentials of the Windows account used to access various network resources. In case stolen credentials include those for the powerful Windows Active Directory, attackers have access to virtually every node on the network.

The following diagram summarizes the flow of the attack:

The attacks, which Kaspersky Lab has seen in Japan, Italy, Germany, and the UK, are notable for their unconventional approaches, as noted in this week's Kaspersky Lab post. Company researcher Vyacheslav Kopeytsev wrote:

First, the malicious module is encoded into an image using steganographic techniques, and the image is hosted on legitimate web resources. This makes it virtually impossible to detect such malware using network traffic monitoring and control tools while it is downloading. From the point of view of technical solutions, this activity is indistinguishable from sending ordinary requests to legitimate image hosting services. A second curious feature of malware is the use of the exception message as the decryption key for the malicious payload. This technique can help malware evade detection in sandbox class automatic analysis systems and makes analysis of malware functionality much more difficult for investigators if they do not know which language pack was used on the host's computer. the victim. The use of the above techniques, combined with the precise nature of the infections, indicates that these were targeted attacks. It is troubling that the victims of the attacks include contractors from industrial companies. If attackers can obtain the credentials of employees of a contracting organization, this can lead to a number of negative consequences, from theft of confidential data to attacks on industrial companies through remote administration tools used by the contractor.

Kaspersky Lab software closed the attacks before they could continue. As a result, investigators still don't know what the attackers' ultimate goal was. In recent years, control systems for gas refineries, power plants, factories and other critical infrastructure have come under increasing attack by spoilers and ransomware. It is possible that the ultimate target of these attacks was the industrial business customers of the contractors.