Government, media and military organizations in the United States, Europe as well as opponents of the Russian government are the targets of a new systematic attack using what Trend Micro researchers are describing as a “simple but clever JavaScript trick” that targets users of Microsoft’s Office 365 Outlook Web Access.
OWA gives browser-based access to the online suite. “The OWA phishing attacks seemed effective and so could be particularly dangerous to any organization that allows employees to use OWA,” researchers say in a new report.
Dubbed Operation Pawn Storm, Trend Micro says the gang uses three attack vectors: spear-phishing email with malicious attachments, an advanced network of phishing Web sites and exploits injected into legitimate Polish websites. Many have in common the use of the SEDNIT/Sofacy malware, mostly backdoor and information stealing multistage downloaders that give attackers protection against detection.
Among its strategies, the attackers created a Web site with a domain similar to one used by Hungary’s defence ministry for an upcoming conference as bait, then sent an email with the phony link to select ministry employees. If they used OWA and clicked on the link, two browser tabs opened: One with the real conference Web site, while the other redirected by JavaScript to a phished log-in page that looked like the session had ended. The hope was that users would want to re-enter their credentials to log back in, giving the attackers their ID and passwords.
Other tactics included using a fake news web site and a fake company site. In this case the attackers registered a domain that looked very similar to the company’s, and purchased a Secure Sockets Layer (SSL) certificate for the fake domain.
The attackers have also sent email with attachments linked to something they might expect to receive — for example, an email was sent in September, 2013 to military officials from several countries referring to the upcoming Asia-Pacific Economic Co-operation (APEC) Indonesia 2013 conference. The email had a malicious Microsoft Excel attachments named “APEC Media list 2103. Part1.xls.”
Often the email has a decoy document plus an expoit, a downloader component. It communications with a command and control server that downloads a dropper that installs a keylogger.
Trend Micro examined attacks from the group from 2010 to 2014, noting this year’s efforts were “more streamlined.”
In some cases people did click on the links, the report noted with the attackers able “to steal all manners of sensitive information from the victims’ computers.