An advanced and unconventional hack is targeting industrial firms

Enlarge / Binary code, illustration.

reader comments

54 with 47 posters participating

Attackers are putting considerable skill and effort into penetrating industrial companies in multiple countries, with hacks that use multiple evasion mechanisms, an innovative encryption scheme, and exploits that are customized for each target with pinpoint accuracy.

The attacks begin with emails that are customized for each target, a researcher at security firm Kaspersky Lab reported this week. For the exploit to trigger, the language in the email must match the localization of the target’s operating system. For example, in the case of an attack on a Japanese company, the text of the email and an attached Microsoft Office document containing a malicious macro had to be written in Japanese. Also required: an encrypted malware module could be decrypted only when the OS had a Japanese localization as well.

Recipients who click on a request to urgently enable the document’s active content will see no indication anything is amiss. Behind the scenes, however, a macro executes a Powershell script. The reason it stays hidden: the command parameters:

ExecutionPolicy ByPass—to override organization policies
WindowStyle Hidden. This hides the PowerShell window
NoProfile, which executes the script with no end-user configuration.

Triple-encoded steganography, anyone?

The PowerShell script reaches out to either imgur.com or imgbox.com and downloads an image that has malicious code hidden inside the pixels through a technique called steganography. The data is encoded by the Base64 algorithm, encrypted with an RSA key, and then Base64-encoded again. In a clever move, the script contains an intentional error in its code. The resulting error message that’s returned—which is different for

Continue reading – Article source