Security Bytes

Dec 14 2011   4:56PM GMT

Nitro attackers sending malicious emails using Symantec report

ITKE ITKE Profile: ITKE

By Hillary O’Rourke, Contributor

The cybercriminals responsible for the Nitro attacks have certainly showed audacity in their latest move: Sending malicious emails claiming to be from security vendor Symantec with the company’s own report on those Nitro attacks.

According to a Symantec blog post, the group, which is currently targeting chemical companies, is using the same social engineering techniques they have used in previous attacks, but lately they have been sending malicious emails that are created to look like they were sent by Symantec’s technical support department.

“They are sending targets a password-protected archive, through email, which contains a malicious executable,” explained Symantec researchers keeping a close watch on the group’s attack techniques. “The executable is a variant of the Poison IVY and the email topic is some form of upgrade to popular software, or a security update.”

The security vendor originally exposed the gang in a report released on Nov. 1 on the Nitro attacks that began in July and lasted until September. Those attacks also involved emails carrying a variant of the Poison Ivy backdoor and were specially crafted for each targeted company. According to the blog post, they are still using the same hosting provider for their command and control (C&C) servers.

The Symantec blog post explains one of the emails ‘offers protection from “poison Ivy Trojan’!”

The fraudulent emails come with an attachment called “the_nitro_attackspdf.7z” with an archive containing a file called “the_nitro_attackspdf.exe.” According to the blog post, the large space between “pdf” and “.exe.” is to trick a user into thinking the attachment is a PDF.
When the attachment is opened, the executable creates a file called Isass.exe, more commonly known as Poison IVY, and then creates a PDF file that is none other than Symantec’s Nitro Attacks whitepaper (PDF).

“The attackers, in an attempt to lend some validity to their email, are sending a document to targets that describes their very own activity,” Symantec said.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: