Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Industrial espionage gang sends malicious emails in security vendor's name

A cybercrime gang that primarily targets companies from the chemical industry has launched a new series of attacks that involve malware-laden emails purporting to be from Symantec, the security vendor responsible for exposing its operation earlier this year.

Dubbed the Nitro attacks, the gang's original industrial espionage efforts began sometime in July and lasted until September. The attackers' modus operandi involved sending emails that carried a variant of the Poison Ivy backdoor and were specifically crafted for each targeted company.

Despite being publicly exposed by Symantec in an October report, the gang didn't give up on its plans and, in fact, stuck to many of its techniques.

"The same group is still active, still targeting chemical companies, and still using the same social engineering modus operandi," security researchers from Symantec said in a blog post on Monday.

"That is, they are sending targets a password-protected archive, through email, which contains a malicious executable," they added.

The interesting aspect about the gang's new attacks is that they are using Symantec's own report in order to trick victims. One email intercepted by the security company was crafted to appear as if it were sent by its technical support department and warns recipients that many enterprise computers were infected with Poison Ivy.

The rogue messages claim that a special removal tool was released by Symantec in order to help its customers scan their systems. Attached to the email is a 7-Zip archive called the_nitro_attackspdf.7z containing a malicious executable file and a copy of Symantec's original report about Nitro.

"The attackers, in an attempt to lend some validity to their email, are sending a document to targets that describes their very own activity," Symantec said. The executable file is a new variant of Poison Ivy that connects to a command-and- control (C&C) server hosted by the same provider used in the previous attacks.

The fake Symantec alert is not the only lure this gang is using. Other malicious emails that are part of the same campaign claim to originate from Adobe Systems and contain a fake upgrade for Adobe Reader.

Symantec managed to take down the domain name used by the new C&C server and alerted the hosting provider. However, given the determination shown by these attackers so far, it's unlikely that the Nitro attacks will stop.

The group's primary goal is to steal domain administrator credentials, as well as to gain access to systems that store intellectual property. After identifying the "desired" IP, the attackers copy it to archives on internal systems used as staging servers, with the content uploaded from there to a site outside of the compromised organization, according to Symantec's October report.

Read more about wide area network in Network World's Wide Area Network section.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Adobe, Adobe Systems, LAN, Symantec
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: anti-malware, cybercrime, legal, malware, security, symantec, Wide Area Network
Latest Blog Posts
Whitepapers
  • The Top 5 Server Monitoring Battles—and How You Can Win Them
    The role of servers in your organization has changed substantially—with their uses, requirements, and complexity all increasing dramatically in recent years. Many of the traditional tools and techniques that worked in the past don’t suffice any more. Consequently, server monitoring presents several critical battles in today’s demanding environments. This guide looks at some of the most pressing challenges administrators face in ensuring optimal server performance, and it offers insights into the tools and strategies required to address these demands.
    Learn more »
  • Gartner MarketScope for Application Life Cycle Management
    Organisations adopting agile practices, utilising global and distributed teams, or exploiting complex processes and technologies are most likely to benefit from using ALM tools to plan, manage and report on their development activities. This MarketScope assesses the market offerings and their providers.
    Learn more »
  • Implementing Energy Efficient Data Centres
    Electrical power usage is not a typical design criterion for data centers, nor is it effectively managed as an expense. This is true despite the fact that the electrical power costs over the life of a data center may exceed the costs of the electrical power system including the UPS, and also may exceed the cost of the IT equipment. Read on.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.