Security experts are warning of an ongoing spear phishing campaign aimed at defense contractors, universities and SCADA security companies like Digitalbond.
The attacks have been traced back to servers in China, and start with emails made to look like they came from employees or executives of the company being attacked. The messages have PDF attachments that install a Trojan called spoolsvr.exe if opened. The Trojan then calls to a command and control server located at a domain called happyforever.com and downloads more malware including an obscure executable called tanghi.exe that provides a hacker with remote access to the infected system. Tanghi.exe is particularly dangerous because it can’t be detected by most antivirus or anti-malware software yet.
It’s not clear exactly what info the attacks are designed to steal, but given they are targeted at security firms, defense contractors and universities such as Carnegie Mellon and Purdue, the possibilities are chilling – especially if it’s revealed that the Chinese government is behind them. They’ve been accused of cyberattacks in the past but have always vehemently denied any involvement.
Spear phishing attacks are on the rise as phishers realize that the traditional wide net attacks are no longer profitable. By carefully targeting and personalizing their attacks, they increase the chances of recipients falling for them. The payloads they are looking for seem to be moving from simple passwords and Paypal info, to government data and sensitive business documents. Phishing and cyber espionage seem to be going hand and hand these days.
Researchers say the attacks are similar to last year’s Shady Rat attacks and possibly being conducted by the same group.