Malware believed to be part of a nation-state espionage campaign and reminiscent of previous attacks has been caught targeting mobile devices and PCs of executives, diplomats and military.
Security vendor Blue Coat Labs has uncovered what it claims to be the “most sophisticated” malware attacks it has ever seen, potentially adding one more to the growing list of government-made malware that pose a threat to their intended targets and others caught in the crossfire.
Dubbed “Inception” after sci-fi thriller starring Leonardo DiCaprio, the family of malware is usually deployed within rigged attachments to phishing emails and has separate modules designed to target Windows machines iOS, Android, and BlackBerry devices.
According to Blue Coat researchers Snorre Fagerland and Wayne Grange, targets of this campaign include executives from oil, finance and engineering, military officers, embassy personnel and government officials. Targets were inferred by the content of phishing emails.
While the attacks initially aimed at individuals in Russia and other Eastern European countries, its scope has widened to include executives in the oil and energy industry in Romania, Venezuela, and Mozambique.
One phishing email, purportedly from “Mrs World” and addressed to the CEO of an unnamed “large” Russian bank, contained a trojanised Word document. The document exploited an RTF flaw (CVE-2014-1761) that Microsoft had patched in March this year following reports the bug was being exploited in targeted attacks. Another exploit was for an older buffer overflow flaw in Word (CVE-2012-0158).
According to Blue Coat, the Inception campaign used a Swedish cloud service CloudMe.com to host its files and route its command and control (C&C) traffic, which it did using the WebDAV protocol. As such, enterprises looking to avoid this threat should monitor for unauthorised WebDAV traffic.
Blue Coat added that CloudMe “was very helpful, providing further research, including a great deal of log information related to the attack” and was not currently spreading malicious content, with the attackers only used the service to store their files.
The other key piece to its C&C infrastructure was a network of compromised routers, mostly based in South Korea.
More recently, the attackers behind Inception have developed malware for jail-broken iPhones and Android devices that poses as a WhatsApp update installer package. They rely on social engineering rather than exploiting a software flaw. The BlackBerry malware was a Java Applications Descriptor (JAD) file to support OTA updates for Java-based apps.
Depending on device, the malware collects unique device identifiers, carrier information and activity, such as calls logs and contacts. To reach potential victims, the attackers devised MMS phishing campaigns through at least 60 mobil networks across the globe.
Rival security firm Kaspersky released its own findings on the malware campaign on Wednesday but has called the group “Cloud Atlas”.
According to the Russian security vendor, its users were hit by attacks that exploited the RTF flaw (CVE-2014-1761) in August. Blue Coat received its first sample in June 2014 in the form of a document created in May.
The two vendors have found similar attack documents such as a “diplomatic car for sale” suggest connections to Red October, a malware-espionage campaign thought to be developed in Russia. Several other attack documents claimed to be news items referring to tensions in Ukraine.
As a targeted campaign, victim counts are very low with Kaspersky counting a total of 37 machines in its top five list for Cloud Atlas, with 15 from Russia and 14 from Kasazkhstan. Kaspersky adds that in one instance, the only infections the victim had seen in the past two years were Cloud Atlas and Red October.
Both vendors however outline differences between Inception (Cloud Atlas) and Red October.
“The Red October malware contained linguistic markers that pointed towards Russian speaking attackers. No such clues have been found in the Inception related malware; there is a marked difference in the attention to detail and information leakage,” Blue Coat notes in its report.
Kaspersky adds that RedOctober used the RC4 encryption algorithm while Cloud Atlas uses AES.
The Russian company puts the differences down to new geopolitical realities that have emerged in Russia and surrounding nations in the past two years.
“Just like with RedOctober, the top target of Cloud Atlas is Russia, followed closely by Kazakhstan, according to data from the Kaspersky Security Network (KSN). Actually, we see an obvious overlap of targets between the two, with subtle differences which closely account for the geopolitical changes in the region that happened during the last two years,” Kaspersky’s Global Research & Analysis Team wrote.
Kaspersky researchers believes whoever was behind RedOctober has made a “classy return” with Cloud Atlas.
If that’s the case, suspicions may be directed towards Russia. However, BlueCoat entertains a number of possibilities when it comes to attributing the malware to a specific nation. There are, according to it, signs of a “Chinese connection” due to Chinese components of the malware, but also indicators it could have ties to South Korea, India, the Ukraine, Russia, the US or UK, and the Middle East.
This article is brought to you by Enex TestLab, content directors for CSO Australia.