Poseidon cybercriminals blackmail enterprise players into business relationships

Researchers say the long-standing Poseidon malware boutique is blackmailing businesses through the theft of sensitive data.
Written by Charlie Osborne, Contributing Writer on
Charlie Osborne | ZDNet

TENERIFE, SPAIN: The long-standing cyberespionage campaigner and malware boutique Poseidon is ramping up efforts to make a profit in cybercrime by blackmailing businesses, according to Kaspersky.

Speaking at the Kaspersky Security Analyst Summit in Tenerife, Spain, researchers Dmitry Bestuzhev, Santiago Pontiroli and Juan Andres Guerro-Saade said Brazilian Portuguese-speaking group Poseidon is forcing enterprise players into commercial relationships through the theft of sensitive data.

The sophisticated group, in operation since at least 2005, typically employs customized malware digitally signed with rogue certificates to infect a victim's machine and aggressively collect a vast array of data.

Poseidon launches spear phishing campaigns specifically tailored for victim companies, and they may include job applications or resumes for specific posts sent to human resource departments.

The phishing emails are laden with malicious RTF or DOC files. If the attachment is opened by an unwitting victim, the malware connects to the attacker's command and control (C&C) center and launches software dubbed the "treasure stealer," otherwise known as "IGT," is deployed.

IGT contains capabilities including file deletion, a PowerShell agent, an SQL data compiler and information gathering tools for grabbing user credentials, group management policies, and system logs, among other data.

If the reconnaissance mission was successful, Poseidon grabs the stolen data and wipes the malware off the victim's machine.

"By doing this, the attackers actually know what applications and commands they can use without alerting the network administrator during lateral movement and exfiltration," Kaspersky says.

This information is then held and leveraged by a fronting business which forces victims into contracting the Poseidon group as "security consultants." If a company refuses to hire these "security professionals" to protect their networks, then the blackmail may result in the exposure of the stolen data in business deals which will otherwise benefit Poseidon -- such as through market predictions based on such theft.

Bestuzhev described the business deals Poseidon is involved in as "shadow, but still legal activity."

The cyberforensics firm has identified a minimum of 35 businesses which have fallen prey to Poseidon across the financial, telecommunications, manufacturing, energy and media industries, as well as the service industry.

Enterprise players in the US, France, Kazakhstan, UAE, India and Russia have become targets, although Poseidon heavily leans upon businesses within Brazil.

The team says Poseidon is definitely not a state-sponsored scheme, but rather a "malware boutique" and business based upon dodgy dealings.

The initial malware infection is tailored for English and Brazilian Portuguese Windows systems alone, revealing how the cyberattackers wish to turn their operations towards the commercial sector -- and so only want to focus their efforts on businesses they can later communicate with, as well as blackmail.


Bestuzhev commented:

"The Poseidon Group is a long-standing team operating on all domains: land, air and sea. Some of its command and control centers have been found inside ISPs providing Internet service to ships at sea, wireless connections as well as those inside traditional carriers.

In addition, several of its implants were found to have a very short lifespan which contributed to this group being able to operate for such a long time without being detected."

The group has been active for a minimum of 10 years, but researchers are still attempting to put all the pieces together. Poseidon's techniques, tools, and methods are constantly evolving -- and remain to this day an active threat to the enterprise which goes beyond a simple malware infection.

Disclaimer: Kaspersky Labs sponsored the trip to the summit in Tenerife, Spain.

10 things you didn't know about the Dark Web

Editorial standards