Table 1 lists the latest emails intercepted by Symantec. Figure 3 is a partial graph of the domains involved, including the most recent activity. This domain resolves to an IP, which is hosted by the same hosting provider that hosted most of the previously encountered IP addresses. The threat, lsass.exe, copies itself to “%System%\web\service.exe” and attempts to connect to the domain “”. This PDF file is none other than our own Nitro Attacks document! The attackers, in an attempt to lend some validity to their email, are sending a document to targets that describes their very own activity. When the self-extracting executable runs, it creates a file called lsass.exe (Poison IVY) and creates a PDF file. (The large gap between the “pdf” and “.exe” is a basic attempt to fool a user into assuming that the document is a PDF, when it is really a self-extracting archive.)įigure 2 Contents of the attachment, including the genuine report The attachment archive contains a file called “the_nitro_attackspdf. The most recent email (Figure 1) brazenly claims to be from Symantec and offers protection from “poison Ivy Trojan”!įurthermore, the attachment itself is called “the_nitro_attackspdf.7z”. The executable is a variant of Poison IVY and the email topic is some form of upgrade to popular software, or a security update. That is, they are sending targets a password-protected archive, through email, which contains a malicious executable.
The same group is still active, still targeting chemical companies, and still using the same social engineering modus operandi. The Nitro Attacks whitepaper, published by Symantec Security Response, was a snapshot of a hacking group’s activity spanning July 2011 to September 2011. The intercepted email in this blog was provided by Symantec.cloud.
Authored by Tony Millington and Gavin O’Gorman
0 kommentar(er)
