Security researchers at FireEye are warning that the group behind targeted attack campaign “Operation Clandestine Fox”, is now using different tools and threat vectors to increase its chances of infiltrating victims’ networks.
The APT specialist first revealed the group’s existence back in April when it uncovered a zero day exploit targeting Internet Explorer versions IE9-IE11. It said at the time: “They are extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure.”
FireEye then revealed a few days later that Operation Clandestine Fox was aiming a new version of the attack specifically at unsupported Windows XP machines running IE8, however Microsoft acted quickly to release an emergency patch for those users.
Tuesday’s post from the security vendor reveals that the group is now blending social media with email-based social engineering techniques to trick users into downloading malware hidden in an attachment.
Focusing on one particular employee at an energy company, FireEye investigators discovered that a contact called “Emily” had befriended him on social media. "She" exchanged numerous messages over a three week period, culminating in “her” sending him a malware-laden email containing her “resume”.
“Working our way backwards, we reviewed ‘Emily’s’ social network profile and noticed a few strange aspects that raised some red flags,” wrote senior threat analyst, Mike Scott in the blog post.
“For example, ‘her’ list of contacts had a number of people from the victim’s same employer, as well as employees from other energy companies; ‘she’ also did not seem to have many other ‘friends’ that fit ‘her’ alleged persona. ‘Her’ education history also contained some fake entries.”
After conducting more research it emerged that “Emily” had contacted other employees from the same company and asked them various suspicious questions including who the IT Manager was and what versions of software they ran.
In most of these cases, the attackers used targeted employees’ personal rather than work emails, either because they were less well protected than corporate email systems or becuase they were more likely linked to social media accounts, Scott explained.
FireEye detected the malware from that first email attachment as Backdoor.APT.CookieCutter, the same variant of the “Pirpi” family used before by the group. It also featured the same command and control domain “inform[.]bedircati[.]com” used previously.
However, in another email FireEye obtained, sent by the group, a similar looking RAR attachment actually contained a completely different backdoor, detected as Backdoor.APT.Kaba (aka PlugX/Sogu).
It’s not a particularly unusual piece of malware but highlights the group’s agility and willingness to change attack tools, according to FireEye.
“Unfortunately, it is very common for users to let their guard down when using social networks or personal email, since they don’t always treat these services with the same level of risk as their work email,” warned Scott.
“As more companies allow their employees to telecommute, or even allow them to access company networks and/or resources using their personal computers, these attacks targeting their personal email addresses pose significant risk to the enterprise.”