Siesta cyber espionage campaign targets many industries
Trend Micro researchers have uncovered yet another cyber espionage campaign targeting a wide variety of industries including energy, finance, security and defense, and healthcare.
Dubbed “Siesta” on account of the periods of dormancy the delivered malware is ordered to enter at regular intervals, the campaign starts with malicious emails delivered to the target company’s executives.
The “From” email address is spoofed to make it look like the email was sent by another company employee, and the message contains a malicious link that the recipient is urged to follow.
“The attacker serves the archive under a URL path named after the target organization’s name (http://{malicious domain}/{organization name}/{legitimate archive name}.zip,” the researchers noted, and the downloaded file contains an executable masquerading as a PDF document.
“When executed, it drops and opens a valid PDF file, which was most probably taken from the target organization’s website. Along with this valid PDF file, another malicious component is also dropped and executed in the background,” they explained.
This malicious component is a backdoor Trojan that connects to (short-lived) C&C servers at previously defined intervals, and to download additional malicious files from a specified URL.
Different malware variants are used in various campaigns, but they act the same. Another thing that points out to them all being started by the same attacker(s) is the fact that the different C&C servers and domains have all been registered by the same registrant (different names, but the same email address: xiaomao{BLOCKED}@163.com).
“This individual also recently registered 79 additional domains. There are a total of roughly 17,000 domains registered with this same email address,” the researchers discovered, and this obviously points to a concerted effort.
The researchers didn’t say which organizations (and in which countries) were hit, and have refrained from sharing full filename and hashes of the malicious files delivered as the investigation is still ongoing.
They made only one exception, and said that one of the malicious executable was named Questionaire Concerning the Spread of Superbugs February 2014.exe – I’m guessing this was used in a campaign targeting healthcare organizations.