Threat actors have been targeting precision engineering companies in Italy with phishing campaigns.
The campaign utilises a legitimate-looking Microsoft Excel spreadsheet that is embedded with malicious exploit code that silently infects the computers.
In a blog post, security researcher Marco Ramilli explains that the threat actor pretends to be a customer and sends a well crafted email attaching a Microsoft Excel spreadsheet to the victim company.
On October 26, a spear-phishing email coming from “email@example.com” was sent to individuals within the purchasing department of a well-known precision engineering company, requesting an economic proposal.
The spreadsheet contained a list of spare parts identified with real codes, quantities and shipping addresses.
The threat actors did not embed a malicious macro code in the Excel file, but rather they utilised an exploit for a remote code execution bug. Once the document is opened the code automatically runs on the victim’s computers without any user interaction.
The vulnerability (CVE-2017-11882) resides within Equation Editor, a feature in Microsoft Officer that inserts or edits Object Linking and Embedding (OLE) objects in documents.
“The code execution implements a romantic Drop and Execute code by dropping a Windows PE file from: http[://mail.hajj.zeem.sa/wp-admin/edu/educrety.exe and by running it directly on memory exploiting fileless behavior,” says Ramilli. This makes it more difficult to detect the malware as it is not stored on disk.
Ramilli discovered that the PE was an information-stealer that searches for passwords and access tokens, and then sends them to the command & control (C2) server.
The data collected from the victim computer is pushed to the C2 server which is located at “corpcougar.com”. The same server also hosts a phishing kit for Microsoft services.
The fake login page is an exact replica of the original, however the links at the bottom reveal that its authenticity.11
It is believed that the threat actor behind the attacks is called “SWEED” – who is also known for utilising info-stealing malware like Agent Tesla and Lokibot.
“I did find many similarities including original attack vectors, used Microsoft Office Exploit, implementation of LokiBot and victims type to “SWEED” so that I believe this attack could also be attributed to the same threat actor”
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/