Security researchers from Trend Micro are investigating a new campaign of targeted attacks aimed at organizations from various sectors. The campaign has been dubbed Siesta (read on to learn why).
According to experts, companies from transport and traffic, security and defense, public administration, healthcare, media and telecoms, finance, energy, and consumer goods and services sectors are targeted by the cybercriminals.
Interestingly, the attackers don’t always rely on sophisticated methods to penetrate their targets’ networks. Instead, they often use social engineering tactics to trick their victims into giving them access.
A case study related to the Siesta campaign shows that, on at least one occasion, the attackers sent out a spear phishing email to the executives of a company. To make sure the execs took the bait, the emails purported to come from someone within the organization.
The malicious messages didn’t have malware attached to them. Instead, they contained links that appeared to point to a download website. To increase their chances of success, the website that hosted the malware had a name like http://{malicious domain}/ {organization name}/{legitimate archive name}.zip.
The archive contained an executable which, at first sight, appeared to be a harmless PDF document. When executed, a legitimate PDF file apparently taken from the targeted company’s website and a malicious component were dropped.
While the victim was looking at the PDF document, a backdoor silently stepped into play. The backdoor started communicating with a command and control server from which it received commands like “sleep” and “download.” The sleep command instructs the backdoor to remain idle for a specified number of minutes before resuming its activities.
The download command instructs the threat to download and execute an additional malicious component.
The use of the sleep command actually inspired the name of the Siesta campaign (“siesta” means “nap” in Spanish).
Trend Micro has analyzed hashes, command and control servers, registrants, and other information.
Researchers say it’s difficult to attribute the campaign to a certain actor. However, they’ve managed to identify one email address that has been used to register around 17,000 domains. Some of them have been utilized to drop malware in the Siesta campaign.
The domains have been registered by one Li Ning. Li has listed China as the registrant country on a number of occasions. However, for at least one of the domains, the registrant country is listed as being Canada.
Source Article
Cybercriminals Infiltrate Various Organizations in Siesta Campaign
Userlevel 7
+54
Be the first to reply!
Reply
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.