Fishing for a juicy target
“Clearly, there’s some level of value a user must meet before being deemed worthy of another payload. And while recent activity appears financially motivated, some historic activity overlaps with what we call TA866 suggests an espionage focus, too,“ Proofpoint said.
In terms of the threat actors origins, the researchers told SC Media that there are artifacts observed in the attack chain, including Russian language in the code and work hours analysis that align with a typical 9-to-5 workday in time zones that include Russia, as well as other countries. However, Proofpoint said these factors alone are not enough to associate with high confidence to a state sponsor or geography.
John Bambenek, principal threat hunter at Netenrich, added that at its core, a phishing email that ultimately delivers malware isn’t a new technique, but in recent years, even cybercriminals are investing in the level of research that previously was only done by APTs. Bambenek said attackers know the more precise their techniques and tools are, the more likely they are to achieve significant financial results.
“Certainly email protection is important, especially to vendors that follow a chain of events after an email,” Bambenek said. “Attackers just aren’t emailing .exe’s so getting malware on a victim is a multi-step process and each step represents its own opportunity for protection.”
Proofpoint added that for a compromise to succeed, a user has to click on a malicious link and, if successfully filtered, interact with a JavaScript file to download and run additional payloads. “Organizations should educate end users about this technique and encourage users to report suspicious emails and other activities,” said the researchers.
www.proofpoint.com
