Malicious Word document with ‘Russian doll’ technique targets NATO countries.
Security researchers have identified a hacking campaign seemingly targeted at NATO members, which employs a sophisticated method to infect victims and lays a trap for those investigating it.
The researchers said the attack, in the form of a malicious Word document, is unusual in that it attempts to avoid analysis and uses a non-embedded Flash payload.
This document is titled ‘NATO Secretary meeting’ and the text mentions Ukraine, leading the researchers to think it is likely targeted at NATO members. The campaign was mounted during the Christmas and New Year holiday.
“It’s a very good environment for a bad guy to operate in because potentially defences are low over the Christmas period,” said Martin Lee, threat intelligence technical lead at Cisco’s Talos security group, which identified the attack.
“The noteworthy piece for us is the way the attacker is trying to obfuscate their actual payload,” he said.
Usually malware contains a payload that is delivered in one chunk, whereas in this case there are a number of steps before the payload is delivered. The document first checks to make sure it is not dealing with sandbox systems or analyst virtual machines, and then requests a payload and an Adobe Flash exploit, which is loaded and executed on the fly.
“This approach is extremely clever, from the attacker point of view, the exploit is not embedded in the document making it more difficult to detect for some security devices than the standard word Trojan,” said the researchers.
Another unusual feature: once the hacking campaign was discovered, the attackers swapped out final payload and replaced it with junk data to create a booby-trap for researchers.
“The actor realized security researchers were poking around their infrastructure and then rigged the infrastructure to create resource issues for some security devices. These are the characteristics of reasonably advanced attackers who have designed an efficient minimalist framework that was able to adapt purposes on the fly,” the Cisco researchers said.
Lee said the changing tactics of the malware developers showed they are thinking harder about their code being investigated: “No longer can you write fairly simplistic malware and send it out there and hope its going to infect machines. The bad guys now clearly have to think about how they are going to attempt to evade security researchers and in-depth investigation,” he said.
The researchers have dubbed the technique the “matryoshka doll reconnaissance framework”, after the nested Russian dolls but insisted that this is not a suggestion about where the attack is coming from.
“Exactly what the attackers goals were or what they are trying to do we don’t know but clearly they are piggy-backing off of topics in geopolitics something they put together which they thought would pique the interest of the recipient,” said Lee.
“Attribution is tough, exactly who is behind this and what their motives are we can’t say.”
Security experts have warned that following what was widely seen as interference by hackers backed by Russia in the 2016 US election campaign, this year will see more attempts by state-sponsored hackers to steal and potentially release private information to embarrass enemies and steer public opinion.