Malicious attachments may be packed into archives. Specifically, some of the emails purport to be invitations to tender from large industrial companies (see below).
In most cases, the phishing emails have finance-related content the names of attachments also point to their connection with finance. They may also use the information found in these emails to prepare new attacks – against companies that partner with the current victim.Ĭlearly, on top of the financial losses, these attacks result in leaks of the victim organizations’ sensitive data.
#Teamviewer logs software#
The malware pack can include spyware, additional remote administration utilities that extend the attackers’ control on infected systems, malware for exploiting operating system and application software vulnerabilities, as well as the Mimikatz utility, which provides the attackers with Windows account data.Īpparently, among other methods, the attackers obtain the information they need to perpetrate their criminal activity by analyzing the correspondence of employees at the enterprises attacked.
#Teamviewer logs download#
In cases where the cybercriminals need additional data or capabilities after infecting a system, such as privilege escalation and obtaining local administrator privileges, the theft of user authentication data for financial software and services, or Windows accounts for lateral movement, the attackers download an additional pack of malware to the system, which is specifically tailored to the attack on each individual victim. After that, the attackers look for various ways in which they can commit financial fraud, such as spoofing the bank details used to make payments. When attackers connect to a victim’s computer, they search for and analyze purchase documents, as well as the financial and accounting software used, banking clients, etc. The threat actor uses various techniques to mask the infection and the activity of malware installed in the system.Īccording to the data available, the attackers’ main goal is to steal money from victim organizations’ accounts. This enables the attackers to gain remote control of infected systems. The malware used in these attacks installs legitimate remote administration software – TeamViewer or Remote Manipulator System/Remote Utilities (RMS). Notably, the first similar attacks were recorded as far back as 2015.
#Teamviewer logs series#
The content of each email reflects the activity of the organization under attack and the type of work performed by the employee to whom the email is sent.Īccording to the data that we have collected, this series of attacks started in November 2017 and is currently in progress. The phishing emails are disguised as legitimate commercial offers and are sent mainly to industrial companies located in Russia. Kaspersky Lab ICS CERT has identified a new wave of phishing emails with malicious attachments targeting primarily companies and organizations that are, in one way or another, associated with industrial production.
Appendix 2 – Yara rules for detecting the threat.Email addresses to which the malware sends messages.
Typical characteristics of the network activity of legitimate software used by the attackers.Malware modules installed in the system.Other malware used by attackers or found on malware command-and-control servers.
0 kommentar(er)
