Kaspersky ICS CERT experts report that International equipment suppliers for the industrial sector were targeted with an attack that used unconventional techniques to evade detection.

The attacks started with an urgent phishing email being sent to victims which included malicious Microsoft Office documents with obfuscated macros. Targets of the attack were located in Germany, UK, Italy, and Japan.

One of the most interesting features is the use of steganography, the other one is the use of an exception message as the decryption key for the malicious payload.

Actors use PowerShell scripts, Microsoft Office documents, steganography to hide malicious data, and other techniques to make it extremely difficult to identify and analyze malware. If the localization of the intended victim’s operating system did not match the language in the phishing email, the malware would execute.

The Attack

The attacks started with an urgent phishing email being sent to victims which included malicious Microsoft Office documents with obfuscated macros. The macros decrypt and execute a PowerShell script, which in turn selects a URL that resolves to the legitimate public image hosting services imgur.com or imgbox.com and then downloads an image that secretly hides encrypted data through the technique of steganography.

This makes it virtually impossible to detect such malware using network traffic monitoring and control tools while it is being downloaded.

The decryption key for the data is hidden in an exception message associated with an error that was intentionally entered into the script itself. A second PowerShell script will run a third PowerShell script which is an obfuscated sample of Trojan-PSW.PowerShell.Mimikatz malware.

Attackers are using the Mimikatz utility to steal the authentication data of Windows accounts stored on the victim’s computer system. After an infection is successful, the attackers could use this foothold in the supplier’s network as a pivot point later to attack the supplier’s industrial enterprise clients.

Conclusion

Kaspersky analysts found that it typically began with an urgent phishing email that recipients were asked to open. Individuals that opened the email then received a message to enable the attached document’s active content. If the recipient took the bait, the malicious macro would get executed and the infection chain would commence.

By making attacks complicated, the attackers have a longer timetable to infect more victims before readily available detection techniques are deployed. Because the malware used steganography and downloaded the image from legitimate online resources, network monitoring would not be able to catch these infections.

However, a service such as Managed Endpoint Detection and Response which is offered through Binary Defense would be able to detect the abnormal behavior on the targeted device and stop it before it has a chance to spread.

Recommendations

It is recommended to consider the following best practices:

• Organizations are advised to restrict macros in MS Office documents and PowerShell script execution, wherever possible.
• Defenders could also block communications with public image hosting services if they are not needed for the organization’s operations, although that could cause unintended problems for employees attempting to view websites.
• Do not open any email. Always check the source of information from incoming mail.
• Use anti-phishing servicesto counter phishing attacks. It provides help by protecting against unauthorized IP and MAC addresses to prevent and mitigate online scams.
• Concentrate on phishing security awareness. Making employees aware of the tactics used by scammers and the consequences of certain behaviours is paramount.