The service centres in question provide maintenance and support for a variety of electronic goods. Researchers at Fortinet said that a feature of these attacks is their multi-staging. These attacks use forged emails, malicious Office documents with exploits for a vulnerability that is 17 years old, and a commercial version of a RAT that is tucked into five different layers of protective packers.
According to a blog post by Fortinet researcher Artem Semenchenko, Evgeny Ananin, and Yueh Ting Chen, the attacks were first observed in March when a undisclosed Russian service company engaged in the repair and servicing of electronic devices received several emails. The researchers said that the emails claimed to be from representatives of Samsung.
“We believe that these emails were a starting point for a planned targeted attack, and not just a part of a random mass campaign,” said researchers.
Researchers said they concluded this because the email was specifically sent to the service company that repairs Samsung's electronic devices; this company is based in Russia, and the email is written in the Russian language with a Russian name in the “From” field. The sender falsely claims to be from the Samsung Company, and the email contains a file with the name Symptom_and_repair_code_list.xlsx that is related to the targeted company's profile.
“After carefully examining this email, we have concluded that it is highly unlikely that a native Russian speaker wrote this text. Instead, this text was probably the product of some machine translation. Therefore we can reasonably assume that while these attackers targeted a Russian company, they are not Russian speakers,” said the researchers.
Inside the malicious documents there is a printer configuration string. In further investigations, the researchers concluded that this string is related to the original source of these files and did not belong to the attackers.
“Instead, the IP from these strings is probably related to the organisation where these documents were initially created. All of the printers in the documents are Samsung models. The attackers later modified these files to contain an exploit,” said researchers.
Tests with suspicious documents recorded the malicious activity of the eqnedt32.exe.
“This gave rise to a suspicion that CVE-2017-11882 is being used. Later, we confirmed that all fresh samples are exploits from the same vulnerability: CVE-2017-11882. The malware authors clearly love this vulnerability because it allows them to achieve a stable exploitation across all current Windows platforms. The reason lies in the fact that the component “eqnedt32.exe” has not been updated for 17 years,” said researchers.
The attack also used a RAT disguised in five different layers of protective packers. This is the commercial version of the Imminent Monitor RAT. It consists of five modules; the first two modules are capable of recording video from a victim's webcam. The last three contain different spy and control functionalities.
Analysis of the C2 servers used in these attacks found that 50 domains which were all registered on the same day. “Some of these domains have already been used for malware spreading,” said researchers.
Pascal Geenens, Radware EMEA security evangelist, told SC Media UK that the nature of the malware is a remote access tool (RAT) which is used to spy on and control the infected victims.
“It is not clear why this Russian device repair company was targeted but based on the information provided by Fortinet a possible motivation would be an attack on Samsung,” he said.
“It is not uncommon for hackers to search for breaches through weaker partners of larger, better secured, organisations. Once a partner has been breached, lateral movement can provide easier access to the actual target. Samsung comes to mind as the attackers apparently discovered a link between the victim and Samsung as they used this information to attempt to spear-phish the victims. The actual target could very well be another partner organisation.”
George Cerbone, principal solutions architect at One Identity, told SC Media UK that it is is very difficult to say who might be targeting Russian companies.
“This particular attack is essentially a remote access attack, so the goal of the attack is to get a foothold in the targeted network for further intrusion. It's hard to say whether they are targeting “Russian companies”, or whether they are targeting a company that happens to be Russian. The article mentions that the document seems to be machine translated. That would seem to indicate that the attacker is not very sophisticated and did not have access to native Russian speakers. Therefore, it is probable that the attack was not prepared to specifically target Russian companies, but that the specific company was a target of opportunity,” he said.