Last week, researchers from security vendor Blue Coat Systems reported that they discovered an attack platform that the vendor claims is being used to attack high-level personnel in engineering, finance, oil and other critical industries. Attacks have also targeted diplomats, government officials and military officers.
Because of the sophisticated nature of the malware, Blue Coat named the framework “Inception” after the movie about the character who steals secrets from the dreams of his targets. The security vendor says it is one of the most sophisticated malware attacks it has ever seen, including “masterful” identity cloaking and diversionary tactics, as well as “clean and elegant code suggesting strong backing and top-tier talent.”
Blue Coat said that the attacks have targeted execs in the financial sector in Russia, and the energy and oil sector in Romania, Venezuela and Mozambique. Other targets included diplomats in a number of countries.
As many attacks do today, these attacks began with phishing emails designed to socially engineer open documents that contain payloads that exploit software vulnerabilities in CVE-2012-0158 and CVE-2014-1761. The emails also would drip keyloggers and remote-access Trojans.
Much of the command-and-control of the attack platform is based in cloud services, and the attackers have gone through considerable efforts to hide their tracks.
According to Blue Coat, “Command & Control traffic on the Windows platform is performed indirectly via a Swedish cloud service provider using the WebDAV protocol. This hides the identity of the attacker and may bypass many current detection mechanisms.”
The attackers also have obfuscated their identity by leveraging proxy networks based in South Korea. The proxy network was built by compromised devices with default credentials in place, or devices that were poorly configured.
“There clearly is a well-resourced and very professional organization behind Inception, with precise targets and intentions that could be widespread and harmful. The complex attack framework shows signs of automation and seasoned programming, and the number of layers used to protect the payload of the attack and to obfuscate the identity of the attackers is extremely advanced, if not paranoid,” Blue Coat wrote in its post on the Inception framework.
While the attack has focused, so far, primarily on Russia and Russian interests, Blue Coat reports that there are verified targets around the globe. “The framework is generic, and will work as an attack platform for a multitude of purposes with very little modification,” they wrote.
Makes sense. Whether it’s organized crime or nation-state adversaries, it’s expected that we will see increased sophistication in the attack platforms during the months and years ahead.
A blog that details more about how the attack works is available here.
The full report is located here (.pdf).