Entirely new malware, SilentTrinity, attacks Croation government
According to security researchers at Positive Technologies, a secretive hacker group has targeted, and possibly infected the systems of, Croatian government employees between February and April this year.
Inside the document are commands that create a Visual Basic script that, when run establishes a WebDAV network connection, and downloads and runs the file for the next stage of infection, with the help of the legitimate system utility regsvr32. Researchers said that parts of the script may be borrowed from third-party sources.
The macro script, if enabled by the victim, would download and install malware. The first malware downloaded was the Empire Backdoor, which enables remotely controlling a victim's computer and is part of the Empire Framework post-exploitation framework.
Researchers said that the attack is fileless and does not require disk space: dependencies, scripts, and tasks all reside in RAM. All C2 traffic is encrypted with AES, including the archive with dependencies, tasks, and command output.
They added that the the domain names used in the attack were chosen to resemble those of legitimate sites.
"Such names would presumably arouse less suspicion among phishing targets. Not all the impersonated domains related to Croatia," said researchers.
"All attacker domains were registered with WhoisGuard privacy protection. Ordinarily used to protect domain owners from spam by hiding personal information, this feature helped the attackers to remain anonymous."
"Traces were discovered on multiple Croatian government systems. According to the press release, the victims received emails with links to a phishing site. There they were prompted to download a malicious document, which was the jumping-off point of our analysis," said researchers.
Javvad Malik, security awareness advocate at KnowBe4, told SC Media UK that while this attack has malware embedded in a document, it is largely reliant on being able to trick users into clicking the phishing link to the document as well as having macros enabled to automatically run.
"This is why user awareness training plays such an important role in preventing phishing and other social engineering attacks from being successful," he said.
Stuart Sharp, global director of solution engineering at OneLogin, told SC Media UK that as phishing becomes increasingly sophisticated, businesses should urgently upgrade the security of core applications and administrative accounts by introducing more modern forms of 2FA like WebAuthn which leverages device-based encryption to prevent even advanced malware and man-in-the-middle phishing attacks.
"WebAuthn is popular with end users because it requires no password and allows them to utilise biometric sensors like fingerprint scanning and facial recognition that they already use to their unlock phones," he said.
Gloss