SECURITY OUTFIT Bitdefender has uncovered a new high-level spear-phishing attack targeting political figures and senior business users.
Dubbed 'Inexsmar', the attack appears to be operated by the DarkHotel group, which has been perpetrating similar threats since 2007.
DarkHotel attacks often merge whaling with malware and other threat avenues, with both attacker and victim on the same (hotel) WiFi network. Inexsmar is slightly different, in both its targets and payload delivery mechanism. Bitdefender has dated its samples back to September 2016, but it has dated samples with a high level of similarity to April 2011.
Liviu Arsene, a senior e-threat analyst at Bitdefender, told INQ: "The new attack vector involves carefully-crafted spear-phishing emails... where the use of legitimate names and email address is supposed to convince victims of the email's legitimacy.
"When executed, the attachment actually displays a valid document, so as not to raise any suspicion from the victim, while malware is installed in the background. This is why the current campaign is a major departure from [DarkHotel's] approach, in which the attacker would have to share the same Wi-Fi as its victim."
The dummy document that Arsene mentions is called ‘Pyongyang Directory Group email SEPTEMBER 2016 RC_Office_Coordination_Associate.docx'.
Various tasks are undertaken in the background, with the aim of determining if the host computer is a valid target. If it is not, the malware stops functioning; otherwise, the malware installs the full payload by contacting the C2 server.
The DarkHotel group has traditionally targeted senior business users, such as CEOs, developers and corporate researchers, who can access sensitive company information like intellectual property and source code. Vectors like zero day exploits, stolen or factored digital certificates and layered encryption for samples are a few of the attack methods the group has used in the past.
BitDefender writes: "We presume that this method of pairing social engineering with a multi-stage Trojan downloader is also an evolutionary step to keep [DarkHotel's] malware competitive as their victims' defences improve.
"This approach serves their purpose much better as it both assures the malware stays up to date via system persistence - not achievable directly using an exploit - and gives the attacker more flexibility in malware distribution (the domains don't have to be up all the time - not achievable directly using an exploit).'
BitDefender's whitepaper goes into more detail on the attack. µ
You no longer need to cut the cord off
Before they start shipping on 24 October
Another fine mesh
But, er, it'll be available in pink