Study shows attackers used malicious Microsoft Office documents, PowerShell scripts, and various techniques to make it difficult to detect and analyze their malware – including steganography
In early 2020, a series of targeted attacks on industrial organizations in various regions was reported. According to the latest Kaspersky ICS CERT findings, these hits were focused on systems in Japan, Italy, Germany and the UK.
The list of targets included suppliers of equipment and software for industrial enterprises. Research has shown that attackers used malicious Microsoft Office documents, PowerShell scripts, and various techniques to make it difficult to detect and analyze their malware – including steganography, an ingenious data-hiding technology which conceals the fact that there is any information there at all.
Targeted attacks on industrial objects organically attract attention from the cybersecurity community: they are sophisticated and focused on the types of companies that are of critical value. Any disruption in the work of the latter could lead to various unwanted consequences, from successful industrial espionage to comprehensive financial losses.
The examined series of attacks was no exception. Phishing emails, used as the initial attack vector, were tailored and customized under the specific language for each specific victim. The malware used in this attack performed destructive activity only if the operating system had a localization that matched the language used in the phishing email. For example, in the case of an attack on a company from Japan, the text of a phishing email and a Microsoft Office document containing a malicious macro were written in Japanese. Also, to successfully decrypt the malware module, the operating system must have had a Japanese localization as well.
Closer analysis has shown that attackers used the Mimikatz utility to steal the authentication data of Windows accounts stored on a compromised system. This information can be used by attackers to gain access to other systems within the enterprise network and develop attacks. A particularly dangerous situation is when attackers get access to the accounts that have domain administrator rights.
In all detected cases, the malware was blocked by Kaspersky security solutions, which prevented the attackers from continuing their activity. As a result, the ultimate goal of the criminals remains unknown.
To reduce the risks of being attacked, industrial organizations are advised to:
- Provide training to employees of enterprises on how to work with email securely and, in particular, identify phishing emails.
- Restrict the execution of macros in Microsoft Office documents.
- Restrict execution of PowerShell scripts (if possible).
- Pay particular attention to PowerShell process startup events initiated by Microsoft Office applications. Restrict programs from receiving SeDebugPrivilege privileges (if possible).
- Install a security solution for corporate endpoints such as Kaspersky Endpoint Security for Business, with the ability to centrally manage security policies, and maintain up-to-date antivirus databases and software modules for security solutions.
- Use security solutions for OT endpoints and network such as KICS for Nodes and KICS for Networks to ensure comprehensive protection for all industry critical systems.
- Use accounts with domain administrator rights only when necessary. After using such accounts, restart the system where authentication was performed.
- Implement a password policy with requirements for the level of complexity and regular password changes.
- Upon an initial suspicion that systems are infected, perform an antivirus check and force password changes for all accounts that were used to log in on compromised systems.