Napping Malware Espionage Campaign

Monday, March 10, 2014 @ 06:03 PM gHale


There is another cyber espionage campaign detected targeting industries including energy, finance, security and defense, and healthcare, researchers said.

Dubbed “Siesta” on account of the periods of dormancy the delivered malware ends up ordered to enter at regular intervals, the campaign starts with malicious emails delivered to the target company’s executives.

RELATED STORIES
Malware Resilient, Tough to Eradicate
Espionage Rootkit has Russian Roots
Xtreme RAT Targets Governments
Energy Sector Under Attack

The “From” email address looks like the email came from another company employee, and the message contains a malicious link the victim should follow.

“The attacker serves the archive under a URL path named after the target organization’s name (http://{malicious domain}/{organization name}/{legitimate archive name}.zip,” the researchers said, and the downloaded file contains an executable masquerading as a PDF document.

“When executed, it drops and opens a valid PDF file, which was most probably taken from the target organization’s website. Along with this valid PDF file, another malicious component is also dropped and executed in the background,” they said.

This malicious component is a backdoor Trojan that connects to (short-lived) C&C servers at previously defined intervals, and to download additional malicious files from a specified URL.

Different malware variants end up used in various campaigns, but they act the same. Another thing that points out to them all being started by the same attacker(s) is the different C&C servers and domains have all been registered by the same registrant (different names, but the same email address: xiaomao{BLOCKED}@163.com).

“This individual also recently registered 79 additional domains. There are a total of roughly 17,000 domains registered with this same email address,” the researchers discovered, and this obviously points to a concerted effort.

The researchers didn’t say which organizations (and in which countries) ended up hit, and have refrained from sharing full filename and hashes of the malicious files delivered as the investigation is still ongoing.



Leave a Reply

You must be logged in to post a comment.