Diplomats and military personnel in India have
been victimized in targeted espionage attacks that use a number of means of
infection including phishing and watering hole sites.
Researchers at Proofpoint this week published a
report on Operation Transparent Tribe, which was ongoing as of Feb. 11
when Proofpoint uncovered live attacks against Indian diplomats operating in
embassies in Saudi Arabia and Kazakhstan. Proofpoint found IP addresses in
Pakistan involved in the attacks, which involved an elaborate network of
watering hole websites and multiple phishing email campaigns.
The sustained campaign’s goal, Proofpoint said,
was designed to allow attackers to drop a remote access Trojan it calls
MSIL/Crimson. The Trojan had a variety of data exfiltration functions,
including access to laptop cameras, screen capture functionality and
keylogging.
Kevin Epstein, VP of threat operations center
at Proofpoint told Threatpost that uncovering nation-state cyber espionage is
one thing, but being able to expose it as it is happening is rare.
“This is a multi-year and multi-vector campaign
clearly tied to state sponsored espionage,” he said. “In the world of crimeware,
you rarely see this type of complexity. A nation state using multiple vectors,
that’s significant.”
Hacking has become an increasingly popular and
effective weapon in geopolitical conflicts, Epstein said. Groups with ties to
most major powers are increasingly using targeted attack campaigns for
political and competitive advantage and as a way to perpetrate attacks on
critical infrastructure.
Epstein said that typically security analysts
only get wind of past campaigns that offer limited insight into pieces of the
attack puzzle. With this recent discovery, he said, Proofpoint was able to
identify all aspects of the campaign as it was being carried out.
“This was an elaborate advanced persistent
threat that required setting up multiple websites, multiple registrations, a
build-out of full content sites and hosting sites,” Epstein said.
One attack vector include email attachments
that included weaponized RTF documents utilizing the four-year-old CVE-2012-0158 Microsoft ActiveX
vulnerability that
dropped an embedded, encoded portable executable.
“MSIL/Crimson is a logical extension of
existing malware. This discovery is less about the bits and bytes of a specific
malware,” Epstein said.
MSIL/Crimson, Epstein said, is a stealthy
package of exploits. After successful exploitation and decoding of the embedded
payload, MSIL/Crimson will be executed on the victim’s machine. The first stage
in infection is a downloader whose purpose is to download the more fully
featured remote access Trojan component, he said.
Other attack vectors for MSIL/Crimson included
fake blogs and news websites that contained links to malicious payloads via text
and image hyperlinks and desirable files that contained MSIL/Crimson.
“These were sites that generated content that
was designed to interest people in the armed forces,” Epstein said. “The
attackers used topical and original content compelling enough to entice readers
to share stories, links and downloads with others in the armed services.”
In Proofpoint’s analysis of the MSIL/Crimson it
wrote: “Many of the campaigns and attacks appear related by common IOCs,
vectors, payloads, and language, although the exact nature and attribution
associated with this advanced persistent threat remains under investigation.”
Diplomats
and military personnel in India have been victimized in targeted
espionage attacks that use a number of means of infection including
phishing and watering hole sites.
Researchers at Proofpoint this week published a report on Operation Transparent Tribe, which was ongoing as of Feb. 11 when Proofpoint uncovered live attacks against Indian diplomats operating in embassies in Saudi Arabia and Kazakhstan. Proofpoint found IP addresses in Pakistan involved in the attacks, which involved an elaborate network of watering hole websites and multiple phishing email campaigns.
- See more at: https://threatpost.com/espionage-malware-watering-hole-attacks-target-diplomats/116600/#sthash.kZwEGrsN.dpuf
Researchers at Proofpoint this week published a report on Operation Transparent Tribe, which was ongoing as of Feb. 11 when Proofpoint uncovered live attacks against Indian diplomats operating in embassies in Saudi Arabia and Kazakhstan. Proofpoint found IP addresses in Pakistan involved in the attacks, which involved an elaborate network of watering hole websites and multiple phishing email campaigns.
- See more at: https://threatpost.com/espionage-malware-watering-hole-attacks-target-diplomats/116600/#sthash.kZwEGrsN.dpuf
Diplomats
and military personnel in India have been victimized in targeted
espionage attacks that use a number of means of infection including
phishing and watering hole sites.
Researchers at Proofpoint this week published a report on Operation Transparent Tribe, which was ongoing as of Feb. 11 when Proofpoint uncovered live attacks against Indian diplomats operating in embassies in Saudi Arabia and Kazakhstan. Proofpoint found IP addresses in Pakistan involved in the attacks, which involved an elaborate network of watering hole websites and multiple phishing email campaigns.
- See more at: https://threatpost.com/espionage-malware-watering-hole-attacks-target-diplomats/116600/#sthash.kZwEGrsN.dpuf
Researchers at Proofpoint this week published a report on Operation Transparent Tribe, which was ongoing as of Feb. 11 when Proofpoint uncovered live attacks against Indian diplomats operating in embassies in Saudi Arabia and Kazakhstan. Proofpoint found IP addresses in Pakistan involved in the attacks, which involved an elaborate network of watering hole websites and multiple phishing email campaigns.
- See more at: https://threatpost.com/espionage-malware-watering-hole-attacks-target-diplomats/116600/#sthash.kZwEGrsN.dpuf