My friend Cesar Cerrudo, CTO at IOActive Labs, sent me a message last night about a new spear-phishing campaign that’s targeting universities, government contractors and security companies. Here’s a look at some of the analysis they’ve done so far.

According to IOActive researcher Ruben Santamarta, the company Digital Bond first noticed it was a target a few days ago.

“An employee received an email linking to a malicious zip file, posing as a legitimate .pdf paper related to industrial control systems security. Therefore, the bait used by the attackers was supposedly attracting targets somehow involved with the ICS community,” Santamarta wrote in a blog post. “During these days, Jaime Blasco from AlienVault and I have been monitoring the situation, finallly uncovering a broader ongoing campaign which is targeting US defense contractors, universities, and security companies. Moreover, this attack has strong similarities with other campaigns which were successfully compromising important US targets.”

The attack starts with the victim receiving what looks like your typical .pdf file. In reality, it’s a Rar SFX file that, once executed, shows the advertised paper but also drops and runs malware.

From there, Santamarta outlines the following actions:

This new executable is in charge of calling home to receive orders from the C&C server located at hxxp://1.234.1.68

By using the characteristics found in these files, we were able to identify similar files- almost identical except for 2 main differences:

·      File names used to deliver the malicious payload.

·      IP addresses for C&C and downloaders.

Thus, we identified several compromised servers containing the following files ready to be deployed. The name clearly exposes the different kind of victims this group is targeting.

·      Staff_Changes(cmu).zip

      Any_Staff_Changes_About_Carnegie_Mellon_University.exe  (SFXRAR)

      MD5: 8873f6d3ea123708615e72fe357808e5

      Extract: svchost.exe

·      MD5: 9675827a495f4ba6a4efd4dd70932b7c

·      Download from : hxxp://report.crabdance.com/report/news.html

      MD5: bda5ac3747234a073e4290b2352cbba0

·      C&C: hxxp://1.234.1.68:80

·      Staff_Changes(purdue).zip

      Any_Staff_Changes_About_Purdue_University.exe (SFXRAR)

      MD5: 8873f6d3ea123708615e72fe357808e5

     Extract: svchost.exe

·      MD5: 9675827a495f4ba6a4efd4dd70932b7c

·      Download from : hxxp://report.crabdance.com/report/news.html

      MD5: bda5ac3747234a073e4290b2352cbba0

·      C&C: hxxp://1.234.1.68:80

·      Staff_Changes(URI).zip

      Any_Staff_Changes_About_University_of_Rhode_Island.exe (SFXRAR)

      MD5: 8873f6d3ea123708615e72fe357808e5

     Extract: svchost.exe

·      MD5: 9675827a495f4ba6a4efd4dd70932b7c

·      Download from : hxxp://report.crabdance.com/report/news.html

     MD5: bda5ac3747234a073e4290b2352cbba0

·      C&C: hxxp://1.234.1.68:80

·      Speeches_For_IT-SCC_Meeting.zip

      Speeches_For_IT-SCC_Meeting.exe (SFXRAR)

     MD5: 59e74b14f5edee8d38eba74a8000fb18

      Extract:

·      wins.exe

      MD5: 1ea61a0945bde3c6f41e12bc01928d37

      Download from : hxxp://203.200.205.245/java/careers.html

      MD5: 882066feaade34ebe38618d389c40f2a

·      C&C: hxxp://128.175.21.189:80

·      Doc1.doc

·      2.ico

·      New_Chertoff_Group_Q1_2012_Report.zip

      New_Chertoff_Group_Q1_2012_Report.exe (SFXRAR)

      MD5: 59e74b14f5edee8d38eba74a8000fb18

      Extract:

·      wins.exe

      MD5: 1ea61a0945bde3c6f41e12bc01928d37

      Download from : hxxp://203.200.205.245/java/careers.html

      MD5: 882066feaade34ebe38618d389c40f2a

·      C&C: hxxp://128.175.21.189:80

·      Doc1.doc

·      2.ico

·      New_NJVC_First_Half_2012_Report.zip

      New NJVC First Half 2012 Report.exe (SFXRAR)

      MD5: f7aa931de0564f77b27c2f5d1d9bc532

      Extract:

·      hkcmd.exe

      MD5: d8238e950608e5aba3d3e9e83e9ee2cc

      Download from : hxxp://203.200.205.245/css/style.html

      MD5: 69385589903fc576e06893ef965fce01

·      C&C: hxxp://143.89.35.7:80

·      Doc1.doc

·      2.ico

·      the_list_of_staff_changes_in_anakam.exe

      MD5: 53ae642408aaf6cfed016422b394b32a

      Extract:

·      svchost.exe

      MD5: 9675827a495f4ba6a4efd4dd70932b7c

      Download from : hxxp://report.crabdance.com/report/news.html

      MD5: bda5ac3747234a073e4290b2352cbba0

·      C&C: hxxp://1.234.1.68:80

·      AcroRd32_5.ico

These files contain either an icon folder or a .doc/.pdf icon in order to trick the target into double-clicking the malicious file.

Targets include such entities as DOD contractor NJVC, the Chertoff Group, Carnegie Mellon University,  Purdue University and the University of Rhode Island.

AlienVault Labs has additional attack details on its site, saying, among other things, that “The attackers were using a pdf document related to ICS (Industrial Control Systems) security as a lure to compromise potential targets within the ICS community.”

Here’s the statement Digital Bond put on its website:

UPDATE: Added picture of email text

Digital Bond recently had a nice little spear phishing attempt, from an email account registered to look like Dale, to a Digital Bond employee.  The attack linked to a probably-malicious .zip file based upon an old research paper that we published.  There are no AV signatures for the payload.  It was a one-shot deal: the nameserver for the domain used in the attack is located on a compromised box.

It’s a bit concerning that a company whose sole focus is securing industrial control systems should be spear phished.  The attacker clearly went to enough trouble to try to understand ICS security lingo to get the employee to open the link, and had to compromise a DNS server.  It is likely that the perpetrator also compromised a second server to serve up the malicious file goodness (the domain server is in Philadelphia, PA for the interested, and may or may not have hosted the malicious file as well).  The DNS records have been updating constantly since we began investigating.

Thankfully the attack was unsuccessful — paranoia pays off.  It is definitely a lesson in ‘be careful what you open’…even if looks to be coming from Digital Bond (or your boss, as in this case), don’t open a file if you aren’t expecting it…

DP Update – I added the email below. It is text I have written before and I believe the file title is from a paper that Daniel Peck and I wrote for S4 2009. The file that that was linked was a .zip. The only thing that was unbelievable was the signature of just “Peterson”.