Exploit Kit Targets Energy Sector

Friday, March 14, 2014 @ 03:03 PM gHale

A new advanced persistent threat (APT) is hitting the energy sector with remote access tools and Intelligence gathering malware.

The latest attack hit between February 24 and 26 attack which began as a compromise of a third party law firm which includes an energy law practice known as Thirty Nine Essex Street LLP, according to a Zscaler blog post by Chris Mannon.

Hike in NTP Amplification DDoS Attacks
Vast DDoS Attack Hits DNS Platform
Increase in NTP Reflection Attacks
GitHub Hit by DDoS Attack, Again

Late last year, in a similar kind of attack bad guys targeted the energy sector with remote access tools and intelligence gathering malware.

In the latest attack, the compromise leads the victim to another site which provides the attacker with a specific user-agent in the URL field, according to the Mannon post. The purpose of this is to pass along diagnostics to the attacker so the proper malicious package goes out to the victim. A user should look at this as a point of identification in administrator logs as this may indicate an attack on your network.

There are several other locations in the logs that show similar activity also related to this threat.

The LightsOut exploit kit performs several diagnostic checks on the victim’s machine to make sure it can exploit it. This includes checking the browser and plugin versions.

Ultimately, a payload ends up delivered from the exploit kit, which attempts to drop a malicious JAR file exploiting CVE-2013-2465, Mannon said in the post. At the time of research, the binary file was no longer available, which suggests that the attack window has now closed for this particular watering hole. However, other security sources tell us the site used in the attack is also a known HAVEX RAT CnC, Mannon said.

The activity of this threat originating from a site in the energy sector should serve as a warning to those in the targeted industry.

Prior research from other sources said the attackers are highly motivated and agile. Their motive is to gather intelligence for further attacks, so make sure to monitor transaction logs for suspicious activity.

Leave a Reply

You must be logged in to post a comment.