Clustertrouble: dealing with a multistage financial attack #enterprisesec #protectmybiz<\/p>Tweet<\/a><\/blockquote>\n The situation smelled foul enough for the company representatives to suspect there was malware at play. That suspicion was confirmed in the very first days of investigation. And it was quite impressive, something out of the \u201crough-but-effective\u201d sort. Even though the hackers made one big mistake.<\/p>\n The experts at Kaspersky Lab\u2019s Global Emergency Response Team (GERT) received an image of the attacked computer\u2019s hard drive from the attacked organization, studied this and soon detected a suspicious email message sent allegedly from the state tax office, asking to provide some documents immediately.<\/p>\n Actually that message header was written in capital letters and with a lot of exclamation points, which isn\u2019t exactly a style of an official letter from a government agency. So it really should raise suspicions. Apparently the accountant was sort of mesmerized with the words \u201cFederal tax service\u201d. By the way, names and addresses of the tax service officers in the message were real and legit.<\/p>\n All in all, the document had been opened, thus setting loose Exploit.MSWord.CVE-2012-0158. The exploit then downloaded an archived file from a remote system, which in turn yielded Backdoor.Win32.RMS. This backdoor was used to monitor the accountant activities for a couple of days. Then two more pieces of malware had been downloaded using that backdoor \u2013 a keylogger Trojan-Spy.Win32.Delf and Backdoor.Win32.Agent. The keylogger had been used to hijack the accountant\u2019s password to banking software, second Backdoor \u2013 to hijack the PC itself and operate on it remotely. Gotcha.<\/p>\n That\u00a0wasn\u2019t all. When the investigation was nearing completion, the experts discovered yet another curious fact: Attackers rolled out a special network of C&C servers to control their malware, but made a mistake which allowed Kaspersky Lab\u2019s experts to find out the IP addresses of other computers infected with Trojan-Spy.Win32.Delf.<\/p>\n In most cases, these proved to be computers owned by SMBs. Kaspersky Lab promptly contacted the owners of the infected computers and warned them of the threat.<\/p>\n Had there be no warning from the bank, the losses would be dramatic. #enterprisesec<\/p>Tweet<\/a><\/blockquote>\n This last circumstance raises yet another problem: how often do criminals infect one company\u2019s network in order to successfully attack another? The first company may be completely clueless about the malware operating on and from its servers (or even some more exotic places such as wireless modems, for instance, why not?), and stay undetected for quite some time. Once again it becomes obvious that cybersecurity is everybody\u2019s business.<\/p>\n![\"wide-4\"](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2014\/09\/06020128\/wide-4-1.png\")
<\/a><\/p>\n