Sophisticated malware targets execs’ PCs and Android, BlackBerry and iOS devices

Malware believed to be part of a nation-state espionage campaign and reminiscent of previous attacks has been caught targeting mobile devices and PCs of executives, diplomats and military.

Security vendor Blue Coat Labs has uncovered what it claims to be the “most sophisticated” malware attacks it has ever seen, potentially adding one more to the growing list of government-made malware that pose a threat to their intended targets and others caught in the crossfire.

Dubbed “Inception” after sci-fi thriller starring Leonardo DiCaprio, the family of malware is usually deployed within rigged attachments to phishing emails and has separate modules designed to target Windows machines iOS, Android, and BlackBerry devices.

According to Blue Coat researchers Snorre Fagerland and Wayne Grange, targets of this campaign include executives from oil, finance and engineering, military officers, embassy personnel and government officials. Targets were inferred by the content of phishing emails.

While the attacks initially aimed at individuals in Russia and other Eastern European countries, its scope has widened to include executives in the oil and energy industry in Romania, Venezuela, and Mozambique.

One phishing email, purportedly from “Mrs World” and addressed to the CEO of an unnamed “large” Russian bank, contained a trojanised Word document. The document exploited an RTF flaw (CVE-2014-1761) that Microsoft had patched in March this year following reports the bug was being exploited in targeted attacks. Another exploit was for an older buffer overflow flaw in Word (CVE-2012-0158).

According to Blue Coat, the Inception campaign used a Swedish cloud service CloudMe.com to host its files and route its command and control (C&C) traffic, which it did using the WebDAV protocol. As such, enterprises looking to avoid this threat should monitor for unauthorised WebDAV traffic.

Blue Coat added that CloudMe “was very helpful, providing further research, including a great deal of log information related to the attack” and was not currently spreading malicious content, with the attackers only used the service to store their files.

The other key piece to its C&C infrastructure was a network of compromised routers, mostly based in South Korea.

More recently, the attackers behind Inception have developed malware for jail-broken iPhones and Android devices that poses as a WhatsApp update installer package. They rely on social engineering rather than exploiting a software flaw. The BlackBerry malware was a Java Applications Descriptor (JAD) file to support OTA updates for Java-based apps.

Depending on device, the malware collects unique device identifiers, carrier information and activity, such as calls logs and contacts. To reach potential victims, the attackers devised MMS phishing campaigns through at least 60 mobil networks across the globe.

Rival security firm Kaspersky released its own findings on the malware campaign on Wednesday but has called the group “Cloud Atlas”.

According to the Russian security vendor, its users were hit by attacks that exploited the RTF flaw (CVE-2014-1761) in August. Blue Coat received its first sample in June 2014 in the form of a document created in May.

Read more: Russian cybercriminals made $680 million from stolen credit cards

The two vendors have found similar attack documents such as a “diplomatic car for sale” suggest connections to Red October, a malware-espionage campaign thought to be developed in Russia. Several other attack documents claimed to be news items referring to tensions in Ukraine.

As a targeted campaign, victim counts are very low with Kaspersky counting a total of 37 machines in its top five list for Cloud Atlas, with 15 from Russia and 14 from Kasazkhstan. Kaspersky adds that in one instance, the only infections the victim had seen in the past two years were Cloud Atlas and Red October.

Both vendors however outline differences between Inception (Cloud Atlas) and Red October.

“The Red October malware contained linguistic markers that pointed towards Russian speaking attackers. No such clues have been found in the Inception related malware; there is a marked difference in the attention to detail and information leakage,” Blue Coat notes in its report.

Read more: Turla, Red October and Flame cyberweapons preyed on earlier Agent.btz worm

Kaspersky adds that RedOctober used the RC4 encryption algorithm while Cloud Atlas uses AES.

The Russian company puts the differences down to new geopolitical realities that have emerged in Russia and surrounding nations in the past two years.

“Just like with RedOctober, the top target of Cloud Atlas is Russia, followed closely by Kazakhstan, according to data from the Kaspersky Security Network (KSN). Actually, we see an obvious overlap of targets between the two, with subtle differences which closely account for the geopolitical changes in the region that happened during the last two years,” Kaspersky’s Global Research & Analysis Team wrote.

Kaspersky researchers believes whoever was behind RedOctober has made a “classy return” with Cloud Atlas.

If that’s the case, suspicions may be directed towards Russia. However, BlueCoat entertains a number of possibilities when it comes to attributing the malware to a specific nation. There are, according to it, signs of a “Chinese connection” due to Chinese components of the malware, but also indicators it could have ties to South Korea, India, the Ukraine, Russia, the US or UK, and the Middle East.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join CSO for the day@#csoperspectives and hear from @kimzetter @frankheidt @simplenomad Register today

Join the CSO newsletter!

Error: Please check your email address.

Tags government-made malwarewebdavCloudMe.comAndroidrussiaUkrainetrojanised Word documentmalwareBlackberryiOS devicesBlue Coat LabsCloud AtlasEastern EuropeanRed OctoberkasperskyPCs

More about BlackBerryCSOEnex TestLabKasperskyMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place