A spear phishing attack hit security consultant, Digital Bond.
An email addressed to a Digital Bond employee by name and used an account that appeared to belong to Dale Peterson, the company’s founder and chief executive. A blog post published late last week made reference to a paper Peterson co-authored in 2009 and asked the employee to click on a Web link that led to a compressed file stored on a compromised server.
Malicious code in the file installs a remote backdoor on end-user machines. Only seven of 42 antivirus products detected the code. That suggests the Trojan hadn’t circulated widely before it hit Digital Bond, presumably to tap its employees’ expertise in the security of ICS, or industrial control systems.
“I’d like to think that all Digital Bond employees are savvy and clever enough to detect these attacks, but of course that would be false bravado. Some of these spear phishing attacks are amazingly clever,” Peterson said responding to an initial story. “This one though had a fatal flaw. It was sent to an employee that does project work for Digital Bond — not full time. He was not on a project, so the email was forwarded to me — the purported sender of the email. Obviously I knew I did not send it or have that email address.
“It’s a bit concerning that a company whose sole focus is securing industrial control systems should be spear phished,” wrote Reid Wightman, another Digital Bond researcher. “The attacker clearly went to enough trouble to try to understand ICS security lingo to get the employee to open the link, and had to compromise a DNS server.”
The remote access Trojan, hosted on research.digitalvortex.com, creates a backdoor that funnels data on infected machines to a second domain name, hint.happyforever.com. It bears similarities to malware seen in Operation Shady Rat, a five-year espionage campaign discovered last year that targeted at least 14 countries. Similarities include the use of encoded commands hidden in otherwise normal looking webpages and an overlap in the command and control servers used in the two attacks.
The advanced persistent threat used custom-designed exploits and email to target specific individuals. The employee that received the email didn’t click on the file.