Hackers use phoney invoice email to trick you into downloading malware

Thousands of emails have been sent out in an effort to distribute malware designed to steal credentials and keystokes.
Written by Danny Palmer, Senior Writer

A newly uncovered hacking campaign is targeting industries including shipping and transport for the purpose of cyber espionage -- with security researchers pointing to a well-funded and highly capable operation working out of China as the culprit.

Attackers have sent thousands of phishing emails loaded with trojan malware -- primarily to organisations in India, Saudi Arabia and South-East Asia -- with the intention of duping users into installing a malicious payload equipped with the capability to steal credentials and log keystrokes from infected systems.

Discovered by researchers at security firm LMNTRIX, the campaign has been dubbed 'Special Ear' after one of the phrases planted in the malware code. Special Ear has been active since May this year and provides attackers with remote access to compromised computers.

The malicious emails pose as messages which are regularly seen by businesses -- such as purchase orders. One technique the attackers use in an effort to make the messages look more authentic is to use the top level domain of the country the spam is targeting.


A 'Special Ear' phishing email.


For example, targets in India are targeted from an address with a ".co.in" domain, while spam emails sent to organisations in Saudi Arabia featured a ".com.sa" domain.

"This customisation shows a level of sophistication as the attackers are attempting to give the emails a sense of legitimacy," researchers said.

Delivered via a Portable Executable file, the malware itself is a Trojan:MSIL variant -- a family of malware which has been active since 2010.

See also: What is malware? Everything you need to know about viruses, trojans and malicious software

"The malware is a specially built Trojan," Bipro Bhattacharjee, lead threat researcher at LMNTRIX told ZDNet.

While the WHOIS record of the spam emails suggests that the attacks are originating from the Netherlands, researchers have attributed the campaign to hackers based in China.

"The Chinese phrases and their excessive appearance in the Portable Executable file imply a Chinese origin. In almost every instance where Chinese characters could be used, they were used -- this is a common obfuscation technique of Chinese threat actors," said Bhattacharjee.

The use of Chinese characters is there to confuse analysts and researchers who don't have an understanding of the language by making it harder to examine the code. It also suggests that making the code difficult to analyse is deemed by the group more valuable than disguising the origin of the campaign.

"As the target region for the campaign was non-Chinese speaking countries, we believe the priority was to hide the code's functionality, rather than the campaign's Chinese origin," said Bhattacharjee.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Analysis of the code behind the malware -- which uses .NET Framework -- found the use of Chinese characters throughout, many of which appear to be random words and phrases specially inserted in order to make it harder for researchers to study. One of the random phrases translates to "Special Ear" -- hence the name given to the campaign.

The malware is also designed to obfuscate all API calls in order to help hide its malicious activity.

Researchers haven't yet determined if any of the targets have fallen victim to the campaign and the installed key-logging malware, but also warn that it isn't beyond the realms of possibility as not all anti-virus software identifies the malware. "The full extent of the campaign is still to be discovered," said Bhattacharjee.

Researchers recommend that ensuring anti-virus software is up-to-date with the malicious signature of the malware is best way to protect against falling victim to this attack.


Editorial standards