- Computer pirates communicate with companies through a “Contactos” website form
- Then they talk to the victims for weeks before deploying the malware.
- Computer pirates are attacking with personalized rear doors
Cybercriminals are trying to deliver malware at the rear door to organizations based in the United States.
A new report by Check Point security researchers described how in the campaign, criminals pose as a company based in the United States, which seeks partners, suppliers and the like.
Often, they buy abandoned or latent domains with legitimate commercial stories to look authentic. After that, they communicate with possible victims, not by email (as well as the standard practice) but through their “contact us” or other communication channels provided on the website.
MixShell Dropping
When the victims return to their consultation, it is usually by email, which opens the doors to deliver the malware.
However, attackers do not do it immediately. Instead, they build a relationship with the victims, going and coming for weeks until, at one time, they ask their victims to sign an attached NDA.
The file contains a couple of documents, which include clean PDF and Docx files to throw the victims, and a malicious .LNK file that triggers a Powershell headquarters.
This charger finally displays a back door called Mixshell, which is a personalized memory implant with a DNS (C2) -based control and improved persistence mechanisms.
Check Point did not discuss the number of potential victims, but he said they are in the dozens, varying in size, geography and industries.
The majority (around 80%) are found in the United States, with Singapore, Japan and Switzerland, which also have a notable number of victims. Companies are mainly in industrial manufacturing, hardware and semiconductors, goods and consumer and biotechnology and pharmaceutical services.
“This distribution suggests that the attacker looks for entry points in the operational rich industries and the critical supply chain instead of focusing on a specific vertical,” says Check Point.
The researchers could not confidence the campaign to any known threat actor, but said there is evidence that points to the transfer campaign, and a cybercriminal cluster tracked as UNK_Greensec.
Through The record
