On Monday, April 20, Raytheon and Websense announced a new venture, outlining the defense industry contractor’s planned acquisition of 80% of the internet security firm. By Thursday, April 23, emails with the subject “Welcome to join Raytheon!” started landing in Websense employee mailboxes, signaling the kickoff of an ambitious attack.
Grammatically suspect subject line aside, the messages carried a concerning payload: a malicious file hidden inside a fake Kaspersky installation program, which when executed loads malware.
According to a Websense blog, the method known as DLL side-loading (or pre-loading); the malicious library file evades AV detection, and it’s only the program execution itself that summons the malware. Advanced persistent threats (APT) such as Deep Panda have used this technique successfully, including for the breach of Anthem earlier this year.
“Breaking news of any kind spurs threat actors and scammers into action,” Websense noted. “From capitalizing on good will and subverting charitable intentions after a humanitarian crisis, to getting ahead of legitimate communication in the wake of corporate announcements, the race to exploit, extort, and elicit is a sprint and not a marathon.”
Fortunately, in the rush to establish a foothold and attract as many targets as possible, the emails were “a bit unpolished” as Websense noted, and contained some very obvious clues as to their lack of provenance. In addition to the subject line, a lack of footer, formatting or branding, and the fact that there was also no information about the company, its leadership, benefits changes or the announced joint venture, nor anything one might expect of a letter welcoming new employees to a defense industry leader on the S&P 500, in the body of the message.
Ultimately, the attack was largely unsuccessful, but Websense pointed out that it serves as an object lesson to never underestimate the brazenness of bad actors.
“In corporations, a time of transition—such as a merger, sale, or acquisition—is often one of interest,” Websense said. “It takes chutzpah to target an internet security company, but when opportunity knocks, you answer.”