Posted by: ITKE
cyberattacks, email security
By Hillary O’Rourke, Contributor
The cybercriminals responsible for the Nitro attacks have certainly showed audacity in their latest move: Sending malicious emails claiming to be from security vendor Symantec with the company’s own report on those Nitro attacks.
According to a Symantec blog post, the group, which is currently targeting chemical companies, is using the same social engineering techniques they have used in previous attacks, but lately they have been sending malicious emails that are created to look like they were sent by Symantec’s technical support department.
“They are sending targets a password-protected archive, through email, which contains a malicious executable,” explained Symantec researchers keeping a close watch on the group’s attack techniques. “The executable is a variant of the Poison IVY and the email topic is some form of upgrade to popular software, or a security update.”
The security vendor originally exposed the gang in a report released on Nov. 1 on the Nitro attacks that began in July and lasted until September. Those attacks also involved emails carrying a variant of the Poison Ivy backdoor and were specially crafted for each targeted company. According to the blog post, they are still using the same hosting provider for their command and control (C&C) servers.
The Symantec blog post explains one of the emails ‘offers protection from “poison Ivy Trojan’!”
The fraudulent emails come with an attachment called “the_nitro_attackspdf.7z” with an archive containing a file called “the_nitro_attackspdf.exe.” According to the blog post, the large space between “pdf” and “.exe.” is to trick a user into thinking the attachment is a PDF.
When the attachment is opened, the executable creates a file called Isass.exe, more commonly known as Poison IVY, and then creates a PDF file that is none other than Symantec’s Nitro Attacks whitepaper (PDF).
“The attackers, in an attempt to lend some validity to their email, are sending a document to targets that describes their very own activity,” Symantec said.