Siesta cyber espionage campaign targets many industries
Posted on 07 March 2014.
Trend Micro researchers have uncovered yet another cyber espionage campaign targeting a wide variety of industries including energy, finance, security and defense, and healthcare.


Dubbed "Siesta" on account of the periods of dormancy the delivered malware is ordered to enter at regular intervals, the campaign starts with malicious emails delivered to the target company's executives.

The "From" email address is spoofed to make it look like the email was sent by another company employee, and the message contains a malicious link that the recipient is urged to follow.

"The attacker serves the archive under a URL path named after the target organizationís name (http://{malicious domain}/{organization name}/{legitimate archive name}.zip," the researchers noted, and the downloaded file contains an executable masquerading as a PDF document.

"When executed, it drops and opens a valid PDF file, which was most probably taken from the target organizationís website. Along with this valid PDF file, another malicious component is also dropped and executed in the background," they explained.

This malicious component is a backdoor Trojan that connects to (short-lived) C&C servers at previously defined intervals, and to download additional malicious files from a specified URL.

Different malware variants are used in various campaigns, but they act the same. Another thing that points out to them all being started by the same attacker(s) is the fact that the different C&C servers and domains have all been registered by the same registrant (different names, but the same email address: xiaomao{BLOCKED}@163.com).

"This individual also recently registered 79 additional domains. There are a total of roughly 17,000 domains registered with this same email address," the researchers discovered, and this obviously points to a concerted effort.

The researchers didn't say which organizations (and in which countries) were hit, and have refrained from sharing full filename and hashes of the malicious files delivered as the investigation is still ongoing.

They made only one exception, and said that one of the malicious executable was named Questionaire Concerning the Spread of Superbugs February 2014.exe - I'm guessing this was used in a campaign targeting healthcare organizations.









Spotlight

The synergy of hackers and tools at the Black Hat Arsenal

Posted on 27 August 2014.  |  Tucked away from the glamour of the vendor booths and the large presentation rooms filled with rockstar sessions, was the Arsenal - a place where developers were able to present their security tools and grow their community.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Aug 29th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //