South Korean industrial giants slammed in active info-stealing APT campaign
An ongoing cyberespionage campaign against industrial, engineering, and manufacturing organizations has been exposed by researchers.
On Tuesday, the CyberX’s threat intelligence team Section 52 said the campaign, likely the work of an advanced persistent threat (APT) group, has so far claimed at least 200 companies as victims.
While the majority of victims are based in South Korea, firms across countries including Japan, Indonesia, Turkey, Germany, Ecuador, and the United Kingdom have been affected.
One victim, although unnamed, is described as a “multi-billion dollar Korean conglomerate that manufactures critical infrastructure equipment,” whereas others have been identified in steel, chemical manufacture, and the engineering sector.
The attack chain begins via crafted phishing emails, a very common technique used by cyberattackers worldwide to try and gain a foothold into corporate networks. The APT sends messages containing “industrial-themed” attachments, according to the researchers, including white papers, power plant schematics, and quote requests for designing facilities such as gas processing and production plants.
To further enhance the credibility of the phishing attempts, victims may also be sent publicly-available .PDF files of company profiles.
The attackers masquerade as legitimate companies to lend legitimacy to the emails. The name of a Siemens subsidiary, for example, is one of the genuine businesses that the APT uses as a disguise.
According to Section 52, the campaign is making use of a new version of Separ malware. This credential-stealing malware was first discovered by Sonicwall in 2013, and once dropped on a system, will attempt to tamper with the Microsoft registry to add keys for persistence before performing a scan to find credentials to steal.
In this case, Separ is hidden in malicious .ZIP file attachments. In recent campaigns, researchers from Deep Instinct have also recorded the malware buried in fake Adobe-related programs and in .PDF files.
Once unpacked, a set of batch scripts implement malicious commands that are compiled into an executable using the Quick Batch File Compiler.
Separ makes use of free decryption tools to try and grab passwords from browsers including Firefox, Chrome, and Safari, as well as email account credentials from Gmail, Yahoo, Windows Live, and Hotmail.
The updated version of Separ will also check for files with a range of extensions, including images and Microsoft Office documents, before using a basic FTP connection to send this data to an attacker-controlled domain.
In addition, the malware will run ipconfig to map out network adapters connected to a compromised system and attempts to disable the Windows Firewall.
Presently, the campaign is active and is one of many threats faced by the industrial sector today. As we’ve seen in the past, successful attacks against manufacturers and providers of critical services and utilities can not only be devastating for the victim itself, but also the communities they serve.
“Credentials can provide attackers with remote RDP access to IoT/ICS networks, while plant schematics help adversaries understand plant layouts in order to facilitate attacks,” the researchers say. “The campaign may also be intended to steal proprietary information about industrial equipment designs, which can then be sold to competitors and nation-states seeking to advance their competitive posture.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0