Targeted Emails Use Security Vendor’s Name

Wednesday, December 14, 2011 @ 03:12 PM gHale


Attackers that focus on the chemical industry launched a new series of attacks that involve malware-laden emails supposedly from security vendor Symantec.

Dubbed the Nitro attacks, the gang’s original work began in July and lasted until September. The attackers usually send emails that carry a variant of the Poison Ivy backdoor and are specific to each targeted company.

RELATED STORIES
Attackers Hijacking Solid Domains
Control Systems on Alert
Adobe Woes Bring Malware Offerings
Adobe Hit with Zero Day
Attackers Clean Out Duqu Servers

Despite being outed by Symantec in an October report, the gang didn’t give up on its plans and, in fact, stuck to many of its techniques.

“The same group is still active, still targeting chemical companies, and still using the same social engineering modus operandi,” security researchers from Symantec said.

“That is, they are sending targets a password-protected archive, through email, which contains a malicious executable,” they added.

The interesting aspect about the new attacks is they are using Symantec’s own report in order to trick victims. One email intercepted appeared as if its technical support department sent it and warns recipients many enterprise computers suffered infection from Poison Ivy.

The rogue messages say Symantec released a special removal tool in order to help its customers scan their systems. A 7-Zip archive called the_nitro_attackspdf.7z comes attached to the email and it contains a malicious executable file and a copy of Symantec’s original report about Nitro.

“The attackers, in an attempt to lend some validity to their email, are sending a document to targets that describes their very own activity,” Symantec said. The executable file is a new variant of Poison Ivy that connects to a command-and-control (C&C) server hosted by the same provider used in the previous attacks.

The fake Symantec alert is not the only lure this gang is using. Other malicious emails that are part of the same campaign claim to originate from Adobe Systems and contain a fake upgrade for Adobe Reader.

Symantec managed to take down the domain name used by the new C&C server and alerted the hosting provider. However, given the determination shown by these attackers so far, it’s unlikely that the Nitro attacks will stop.

The group’s primary goal is to steal domain administrator credentials, as well as to gain access to systems that store intellectual property.



Leave a Reply

You must be logged in to post a comment.