Phresh phishing against government, defence and energy
09 October 2014
Earlier this year I came to work and checked our monitoring systems that had run overnight. One of them had identified that two new domains had been pointed at a server PwC’s Threat Intelligence team had previously associated with malware known as “Sofacy”.
The group using Sofacy malware has a broad target base, and so any new activity is usually worth following. Investigating this activity led us to some additional recent activity in an ongoing operation targeting employees of a wide range of public and private sector organisations.
Variants of Sofacy have been in use for a considerable amount of time - the screenshot below is from the decoy document loaded by one of the earliest versions present on ThreatExpert (February 2010).
Decoy documents are typically used to make targets believe malware pretending to be a document is legitimate, and often gives some idea as to the possible nature of intended targets.
More recently, ESET have reported on spear phishes with NATO/Ukrainian conflict themes and watering hole attacks likely targeting the defence industry and a Polish finance.
Malicious Domain Names
I passed the domains onto my colleague Tom Lancaster (@tlansec) who has a great ability to take a piece of information and quickly expand it using open source information. Tom pivoted on the domains to find a far larger set of domains closely related via whois data and infrastructure.
The domain names were near identical to those of:
- International and European diplomatic institutions
- Popular providers of web mail, photo sharing, search and secure mail services
- Military institutions, contractors and conferences
- Energy companies
- News organisations based out of the United States and Central Europe
Looking into the content of some of the domains revealed they were not just used for the typical command and control of malware I expected.
Phishing for credentials
The usage of malware in targeted attacks to steal information of value to attackers has been well reported on. Less well reported is the simple technique of phishing for credentials, which whilst still relatively common in targeted attacks, is more typically reported in use by criminal attackers involved in day to day cyber-fraud.
Whilst many of the domain names were not hosting web pages at the time of identification, a number were. Typically they would use obfuscated code to redirect the user to another webpage:
Fake login pages were observed for webmail and two factor-authentication platforms. As well as the fake pages themselves being visually identical to the legitimate pages, the domains were near identical making it difficult for users to identify they were being duped.
For example the screenshot below shows the contents of a credential phishing website designed to mimic the legitimate OWA site of a defence contractor.
A significant number of Sofacy domains impersonate legitimate organisations, for example:
Two of the domains identified have previously been associated with credential phishing:
- In October 2013 the domain chmail[.]in was reported as being used in widespread attacks against users of the Iranian mail service chmail[.]ir
- In January 2014 the domain google-settings[.]com was reported as being used in credential theft against some gmail users.
And this comment occurs in many of the pages, though also appears in some legitimate sites:
// stop for sometime if needed
As ever with phishing attacks, one of the most important preventative steps is the education of users of how to identify suspicious emails. It is also important to alert on “impossible journeys”, for example a single user logging in from two separate countries in a short period of time. We will be publishing a post on how to do so shortly.
For more in-depth coverage on this group and indicators which can be used to detect their activity, please give us a shout at [email protected].