Pawn Storm, the long-standing economic and political cyber-espionage operation that has been first detailed in October 2014, continues unabated.
Aiming to compromise the targets’ computers and Outlook accounts, the attackers send spear-phishing emails carrying malware and compromise websites to redirect to exploits that will deliver malware (in both cases the SEDNIT/Sofacy Trojan), or trick them into entering their Outlook login credentials into fake Outlook Web Access login pages parked on typosquatted domains.
The latter tactic is still used, as fake OWA webmail pages for employees of armed forces of two European NATO members, as well as the NATO Liaison in the Ukraine have been spotted.
Spear-phishing emails are also being used, but have been changed a bit. The malware is no longer in the attachment – the attackers are trying to lure recipients into following a malicious link.
“The emails usually have a link to what looks like a legitimate news site,” Trend Micro senior threat researcher Feike Hacquebord explains. “When the target clicks on the link he will first load a fingerprinting script that feeds back details like OS, time zone, browser and installed plugins to the attackers. When certain criteria are met the fake news site may respond with a message that an HTML5 plugin has to be installed to view the contents of the site. The add-on in question turns out to be a version of X-Agent or Fysbis spyware if you’re a Linux user, and Sednit if you’re running Windows.”
The attackers’ targets are still government employees, military officials, and media companies, but now they seem to concentrate on NATO members and the White House.
“They targeted three popular YouTube bloggers with a Gmail phishing attack on January 26, 2015, four days after the bloggers had interviewed president Obama at the White House. This is a classic island hopping technique, in which attackers focus their efforts not on the actual target but on companies or people that might interact with that target, but which may have weaker security in place,” Hacquebord shared.
“In a similar way, a well-known military correspondent for a large US newspaper was hit via his personal email address in December 2014, probably leaking his credentials. Later that month Operation Pawn Storm attacked around 55 employees of the same newspaper on their corporate accounts.”