Sophisticated Malware Attack Launched via Fake SEC Emails

Researchers have detected a targeted attack that uses a combination of novel techniques to deploy PowerShell malware. The infection starts with malicious documents distributed through phishing emails that masquerade as messages from the U.S. Securities and Exchange Commission (SEC).

The recent attack, reported by researchers from Cisco Systems’ Talos division, is part a larger malicious campaign known as DNSMessenger because it infects systems with malware that establishes stealthy communications via DNS TXT records. The Talos researchers first documented DNSMessenger in March, but the attacks have evolved significantly since then.

The latest phishing campaign consists of rogue email messages crafted to appear as if they originated from the SEC’s Electronic Data Gathering, Analysis and Retrieval (EDGAR) system.

The SEC recently announced that a data breach of its EDGAR system in 2016 provided hackers with nonpublic information that might have enabled illegal trading. EDGAR is used by publicly traded corporations to file 1.7 million disclosures per year.

The use of EDGAR-related phishing emails might be an attempt by the DNSMessenger attackers to capitalize on the recently publicized data breach, since companies might believe the messages are related to that incident.

The rogue emails contain Microsoft Word documents that use a novel technique to execute malicious code on computers. The common methods of embedding malware into Word documents is to use macros or OLE objects. However, the DNSMessenger documents abuse a Word feature called Dynamic Data Exchange (DDE).

“This technique has recently been publicized following a Microsoft decision that this functionality is a feature by design and will not be removed,” the Talos researchers said. “We are now seeing it actively being used by attackers in the wild, as demonstrated in this attack.”

When the malicious DNSMessenger documents are opened, Word notifies users that they contain links to other files and asks for permission to update the documents with data from those other files. If the user agrees, the documents attempt to download and execute a malicious PowerShell script. According to the Talos researchers, at one point this script was hosted on a Louisiana state government website that was likely compromised and used for this purpose.

The malware attack has multiple stages, most of them consisting of PowerShell scripts. Infection persistence is achieved by adding code directly into to the Windows registry and by creating scheduled tasks. Before establishing a bidirectional communication channel with a command-and-control server over DNS, the malware attempts to extract the serial numbers of the compromised systems from their BIOS/UEFI.

“This attack shows the level of sophistication that is associated with threats facing organizations today,” the Talos researchers said. “Attackers often employ multiple layers of obfuscation in an attempt to make analysis more difficult, evade detection and prevention capabilities, and continue to operate under the radar by limiting their attacks to only the organizations that they are targeting.”

North Korean Hackers Are Targeting U.S. Electric Companies

Security firm FireEye warns that hackers likely affiliated with the North Korean government launched phishing attacks against electric companies in the United States last month. While the phishing campaign was likely part of a reconnaissance effort, North Korean hackers are known to have launched destructive attacks in the past, such as those against Sony Pictures Entertainment in 2014 or South Korean banks in 2013.

“We have not observed suspected North Korean actors using any tool or method specifically designed to compromise or manipulate the industrial control systems (ICS) networks that regulate the supply of power,” the FireEye researchers said in a blog post. “Furthermore, we have not uncovered evidence that North Korean linked actors have access to any such capability at this time.”

That said, North Korea is likely to continue targeting companies from the energy sector in the United States and its allies in an attempt to show strength and as a means of deterring potential war, the FireEye researchers believe. They warn that North Korean hackers are bold and have little concern about being discovered.

In 2014, computers at South Korean nuclear plants were infected with data-wiping malware that was attributed to North Korean hackers, but the attack did not result in any damage. Rather, the attackers’ goal was most likely to instill fear and embarrass the South Korean government, the FireEye researchers said.

The recent phishing campaign is part of a rising trend of hackers targeting the energy sector and electrical grids in general. In September, security researchers from Symantec warned that a sophisticated cyberespionage group known as Dragonfly that attacked energy companies from Europe and North America might have gained the capability to sabotage critical systems. FireEye has also been tracking more than 20 hacker groups suspected to be sponsored by at least four other nation-states and which have attempted to gain access to energy sector systems that could be used to cause disruptions.

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 28 posts and counting.See all posts by lucian-constantin