Security researchers have discovered a number of spear phishing campaigns with Pakistani themed documents, likely targeting the country.
According to a blog post by Jose Manuel Martin, a security researcher at AlienVault, the phishing emails use a mix of different openly available malware and document exploits for delivery.
Martin said that these emails are are served from the compromised domains www.serrurier-secours[.]be and careers.fwo.com[.]pk (a part of the Pakistani army). He added that there were some clear trends in the themes of the decoy documents the attackers chose to include with file names such as "China-Pakistan-Internet-Security-LAW_2017.doc", "Strategic Thinking on Ensuring Ideological.docx", and "Pakistan Air Force Jet Crashes During Routine Operation", to name a few.
One of the documents researchers analysed contained a list with names of officers who are being promoted in the Pakistan Atomic Energy Commission.
"'This is probably a targeted attack, with a very few number of spam emails delivered to a selected bunch of people. Although the document is dated on December 2017, we’ve seen related malware dating back to June 2017. A number of these documents have been previously identified by users on Twitter," said Manuel.
He said it was a surprise that the documents drop a mix of low quality rats such as Pony and Netwire - normally more associated with ameteur attacks against banking credentials than something more targeted.
When opened, the document drops several files. Among them, an encapsulated PostScript. This corrupted EPS tries to exploit CVE-2015-2545, which allows an attacker to execute arbitrary code allocated inside an EPS header. This tries to execute a DLL file containing a malicious remote access tool. "Its capabilities include sandbox evasion, local privilege escalation and remote code execution in the infected machine," said Manuel.
The payload looks to find out if the target system is vulnerable to either remote code execution or local privilege escalation. The program uses a call to cmd.exe /k whoami, to verify whether the RCE has worked
" The final payload dropped is a sample containing the infamous Netwire RAT. We found similar purpose packages dropped by some of the other documents mentioned. The attack pattern and some other indicators, like domain names, look similar to the Revenge RAT campaign analysed by RSA Link security researchers," said Manuel.
Rob Shapland, principal cyber-security consultant at Falanx Group, told SC Media UK that these attacks use social engineering at their heart to get staff to open the attachment, and by far the best defence against this is staff training.
"A combination of face-to-face training that shows how easy it is for the hackers, e-learning and email phishing tests will educate staff on how to protect themselves and the business, and how to report suspicious emails. As long as the training is engaging then this is the number one defence against phishing attacks," he said.
"Technical defences can be implemented such as email protection software and sandboxing, but also these particular exploits that are used in this attack are quite old – any organisation that regularly patches its systems is not going to be affected. This highlights the importance of ensuring that the patching policy keeps all computers up to date. Disabling macros within Microsoft Word and Excel will also stop the attack from working as it requires these macros in order to run the malicious code."
Bill Conner, CEO of SonicWall, told SC Media UK that as the cyber-arms race continues to escalate, there is increasing pressure on the US and UK governments to truly understand the nature of malware cocktails - the process of mixing threats to concoct brand new, destructive attacks.
"The risks to businesses and even everyday citizens' data grow each day. Governments and businesses need to deploy a layered security approach utilising next generation firewalls, deep packet inspection for encrypted communication, cloud-based multi-engine cloud sandboxing, advanced real-time deep memory inspection, and next generation end-point security with rollback capability," he said.