Researchers at Blue Coat Labs in California have discovered a malware what they call ‘Inception’ which first targeted diplomats and government organizations in Russia and later spread to other countries.
“A previously undocumented attack framework” is being used to launch highly targeted attacks to gain access to, and extract confidential information from, victims’ computers, according to Blue Coat.
Targets include individuals in strategic positions, executives in important businesses such as oil, finance and engineering, military officers, embassy personnel and government officials.
The Inception attacks began by focusing on targets primarily located in Russia or related to Russian interests, but have since spread to targets in other locations around the world. The preferred malware delivery method is via phishing emails containing trojanized documents, the study added.
Blue Coat Lab researchers have recently found that the attackers have also created malware for Android, BlackBerry and iOS devices to gather information from victims, as well as seemingly planned MMS phishing campaigns to mobile devices of targeted individuals.
To date, Blue Coat has observed over 60 mobile providers such as China Mobile, O2, Orange, SingTel, T-Mobile and Vodafone, included in these preparations, but the real number is likely far higher, Blue Coat explains in a statement.
Initial malware components have, in all cases that Blue Coat has observed, been embedded in Rich Text Format (RTF) files. Exploitation of vulnerabilities in this file format is leveraged to gain remote access to victim’s computers. These files are delivered to the victim via phishing emails with exploited Word documents attached.
When the user clicks on the attachment, a Word document is displayed to avoid arousing suspicion from the user while malicious content stored inside the document in encoded form writes to their disk. Unusual for many exploit campaigns, the names of the dropped files vary and have been clearly randomized in order to avoid detection by name.
The malware gathers system information from the infected machine, including OS version, computer name, user name, user group membership, the process it is running in, locale ID’s, as well as system drive and volume information. All of this system information is encrypted and sent to cloud storage via WebDAV.
The framework is designed in such a way that all communication after malware infection (i.e. target surveying, configuration updates, malware updates, and data exfiltration) can be performed via the cloud service.
Initially, attacks campaigns seemed to be largely focused on Russia and a few other Eastern European countries. However, Blue Coat has also seen attacks on targets in other countries across the globe including India and the Middle East.
While information about targets is limited, Blue Coat researchers have uncovered a number of phishing emails highlighting industry targets.