New Cyberespionage Attack Targets Russia

  /     /     /  
Publicated : 22/11/2024   Category : security


New Cyberespionage Attack Targets Russia


Sanny attacks feature Korea as possible home to command-and-control



China is often considered synonymous with cyberespionage, but what about Korea? A new targeted attack campaign with apparent Korean ties has been stealing email and Facebook credentials and other user-profile information from Russian telecommunications, IT, and space research organizations.
FireEye says the so-called Sanny attacks appear to indicate that Korea may be home to the command-and-control (C&C) and other communications for the malware. Researchers didnt specify whether its either North or South Korea, but say that around 80 percent of the victims in the attacks are Russian organizations.
Ali Islam, security researcher for FireEye, says its possible that Korea is being used as a proxy for the attack. But there are a few clues of a Korean connection: The SMTP email server and C&C servers are based in Korea; the Batang and KP CheongPong fonts used in the lure documents are Korean; a Korean message board is used for the C&C; and the Yahoo email account used in the attacks, jbaksanny, is connected to an empty Korean Wikipedia page created by a user named Jbaksan.
We believe both countries [North and South Korea] have cyberattack capabilities. The attacker has done a great job of hiding his/herself by choosing a public forum as normally with APTs -- in contrast to normal malware [where] you dont need a long-lasting C&C, Islam says.
Specifically, the attackers are grabbing email user accounts and passwords from Outlook, as well as information about the victims email server (POP3/IMAP). Once you have that information, you have access to employees emails even from outside, and that means a lot of official information, Islam says. It also steals other accounts credentials, [such as] all user passwords stored by Firefox for auto login.
Victims are infected after opening infected documents purportedly about a meeting of the Association of Southeast Asian Nations. FireEye has spotted nearly 90 infected machines or IP addresses thus far.
The malware exploits a Microsoft Word vulnerability, steals sensitive data, employs different kinds of obfuscation and encryption at different levels, and sends the data back to a public message board using HTTP POST, and SMTP as fallback, Islam says.
But whats most unique about this particular cyberespionage campaign is that it uses a public forum to collect the pilfered information, he says.
FireEye has posted a blog with screenshots on Sanny
here
.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
New Cyberespionage Attack Targets Russia