Back at the beginning of November, Symantec researchers made public a report they compiled on a spear phishing campaign carrying a backdoor Trojan that was systematically targeting companies in the chemical and military industries.
The campaign was code-named Nitro and is thought to have been executed by Chinese hackers, since the IP addresses of several C&C domains which the backdoor was instructed to connect to were tied to a individual located in the Chinese province of Hebei, and because it is believed that the Chinese have a predilection for attacks that aim to exfiltrate R&D and manufacturing information.
I guess the researchers hoped that once those details are made public the attackers will be forced to change tack – if not stop altogether.
But, as it turns out, the orchestrators of the campaign continued undaunted and continued to use the same approach: sending emails with password-protected archives containing the malware as attachments, and even using the same hosting provider for their command and control servers.
The one thing that changed is the subject of the sent emails. Some say that the attached file is an “Adobe update”, other offer “Safety Tips”, but one variant of the email has clearly been partly designed to mock the researchers, as the email is titled “Symantec Security Warning!” and supposedly contains information about new anti-virus software offered by the security firm.
“The attachment archive contains a file called “the_nitro_attackspdf .exe”. (The large gap between the “pdf” and “.exe” is a basic attempt to fool a user into assuming that the document is a PDF, when it is really a self-extracting archive,)” explain the researchers. “When the self-extracting executable runs, it creates a file called lsass.exe (Poison IVY) and creates a PDF file. This PDF file is none other than our own Nitro Attacks document! The attackers, in an attempt to lend some validity to their email, are sending a document to targets that describes their very own activity.”
Symantec has done what it can to protect their and other users. It blocks the offending emails through its cloud email scanning service and it has contacted the hosting providers of the domains hosting the C&C servers, and they have been taken down.