Cisco researchers have finally uncovered a cyber criminal group that have been successfully hiding since at least 2007, distributing malware that was almost entirely undetectable by anti-virus systems.
The so-called ‘String of Paerls' attackers were exposed by Cisco's Jaeson Schultz, Joel Esler, Craig Williams and Richard Harman in a 30 June blog as targeting “high-profile, money-rich” industries such as banking, oil, television and jewellery.
They are so named because one of their domain names is ‘londonpaerl.co.uk', mimicking the name of a legitimate UK-based jewellery business, London Pearl Ltd, which supplies cultured pearls and cultured pearl jewellery.
Cisco says the criminals have been operating since at least 2007, and have run several different campaigns involving “many pieces of malware”. But they remained hidden because they preyed on small numbers of victims using “extremely targeted” spear phishing emails and adopted various other means to cover their tracks.
Cisco technical leader Craig Williams told SCMagazineUK.com: “These are one of the very few attackers that we've seen that just no-one has tracked. They've been around for a long time. But when they target such a small amount of people it's very difficult to detect, and it maximises the chance of the attacker getting away with it.”
He added: “A very, very small percentage of AV engines detected the malware, I think there was one out of maybe 50 that we tested that detected it and the rest didn't. I think that was one of the reasons why these guys were still so successful – no-one was detecting it and there was such a small number of customers targeted that they were just sliding under the radar.”
The criminals hid behind numerous fake domain names and also frequently switched addresses and email addresses. In the blog, Cisco says: “During the investigation the threat actor changed the information on some of the domains several times. Items like addresses, email addresses and such were changed, literally, in between browser refreshes.”
Cisco warns that the attackers typically use a traditional spear phishing email, such as a fake invoice, purchase order or receipt, written specifically for the recipient, in order to infect them with a spiked Microsoft Word attachment.
“While basic, the Office Macro attack vector is obviously still working quite effectively,” they say.
But among some more ‘new-school' features, the attackers follow the recent trend of hosting their malware on the Dropbox cloud-based file-sharing service.
Cisco found four separate pieces of the malware payload on Dropbox and blogged: “We reported these links to the Dropbox security team who confirmed that they disabled the file share links.”
Analysing the attack, industry expert Fran Howarth, senior security analyst at Bloor Research, focused on this aspect.
She told SC via email: “What I find interesting about this is the use of Dropbox, which would appear to be a new tactic that is starting to appear. Many employees are used to using such file-sharing applications for leisure purposes and are increasingly using such services for work as well - often without the knowledge of their employer.
“This creates another reason for organisations to look closely at the use of unsanctioned services and should provide their employees with an alternative that is as user friendly, but under the control of the IT department.”
The Dropbox aspect was also highlighted by security industry expert, Scott MacKenzie, CISO with cyber security solutions provider Logical Step. He told SC via email: “The use of Dropbox to serve the malware executable is most likely due to the ease with which free users accounts can be registered; as well Dropbox can handle high-bandwidth connections.”
Williams said that Cisco does not know where the attackers come from but is convinced they are non-native English speakers. He said one way they were identified was that they used a strange form of postal address, and Cisco used that to track down all the other domains that had the same error.
Cisco adds in its blog that: “All of the domains we've associated with this threat have been blocked for web security customers since their discovery. We will continue to monitor the situation.”
Earlier this month, security firm PhishMe detected another phishing campaign that sent its victims to Dropbox. These scammers disguised themselves as reputable UK organisations such as Companies House, the Royal Bank of Scotland and HSBC.