Insecurity experts have recently detected a series of attacks coming from China and targeting SCADA security organizations, schools and defense contractors. The attacks in question used customized malicious files to entice targeted individuals into running them. Besides, the intruders also used a series of hacked servers working as command-and-control points.
The experts point out that both tactics and instruments used by the attackers show that they are most likely located in China. Digitalbond was targeted first – an outfit providing security services for ICS systems. Then the others followed a similar pattern.
The attack usually started with a spear phishing email sent to the workers of the targeted organization with PDF attachment enclosed. The attachment, when opened, installed a Trojan downloader named spoolsvr.exe. The latter connected to a C&C server at hxxp://hint.happyforever.com to download instructions and a payload from there. It also loaded another file, called tanghi.exe, which can’t be recognized by many anti-malware products. It plays the role of a remote access instrument, which provides the hacker a persistent presence on the infected machine.
Insecurity experts confirm that the users at Carnegie Mellon University, Purdue University and the University of Rhode Island have been targeted by the attackers. Aside from the universities, defense contractors were also targeted, including Chertoff Group, a consultancy governed by an ex-secretary of Homeland Security Michael Chertoff, and NJVC.
The experts say that the current approach is similar to the Shady Rat attacks, first revealed by McAfee a year ago, and might be the same people. Today the attacks aren’t random – instead, it seems that the targets are selected with care.
The experts point out that both tactics and instruments used by the attackers show that they are most likely located in China. Digitalbond was targeted first – an outfit providing security services for ICS systems. Then the others followed a similar pattern.
The attack usually started with a spear phishing email sent to the workers of the targeted organization with PDF attachment enclosed. The attachment, when opened, installed a Trojan downloader named spoolsvr.exe. The latter connected to a C&C server at hxxp://hint.happyforever.com to download instructions and a payload from there. It also loaded another file, called tanghi.exe, which can’t be recognized by many anti-malware products. It plays the role of a remote access instrument, which provides the hacker a persistent presence on the infected machine.
Insecurity experts confirm that the users at Carnegie Mellon University, Purdue University and the University of Rhode Island have been targeted by the attackers. Aside from the universities, defense contractors were also targeted, including Chertoff Group, a consultancy governed by an ex-secretary of Homeland Security Michael Chertoff, and NJVC.
The experts say that the current approach is similar to the Shady Rat attacks, first revealed by McAfee a year ago, and might be the same people. Today the attacks aren’t random – instead, it seems that the targets are selected with care.
No comments:
Post a Comment