OWA gives browser-based access to the online suite. “The OWA phishing attacks seemed effective and so could be particularly dangerous to any organization that allows employees to use OWA,” researchers say in a new report.
Dubbed Operation Pawn Storm, Trend Micro says the gang uses three attack vectors: spear-phishing email with malicious attachments, an advanced network of phishing Web sites and exploits injected into legitimate Polish websites. Many have in common the use of the SEDNIT/Sofacy malware, mostly backdoor and information stealing multistage downloaders that give attackers protection against detection.
Other tactics included using a fake news web site and a fake company site. In this case the attackers registered a domain that looked very similar to the company’s, and purchased a Secure Sockets Layer (SSL) certificate for the fake domain.
The attackers have also sent email with attachments linked to something they might expect to receive — for example, an email was sent in September, 2013 to military officials from several countries referring to the upcoming Asia-Pacific Economic Co-operation (APEC) Indonesia 2013 conference. The email had a malicious Microsoft Excel attachments named “APEC Media list 2103. Part1.xls.”
Often the email has a decoy document plus an expoit, a downloader component. It communications with a command and control server that downloads a dropper that installs a keylogger.
Trend Micro examined attacks from the group from 2010 to 2014, noting this year’s efforts were “more streamlined.”
In some cases people did click on the links, the report noted with the attackers able “to steal all manners of sensitive information from the victims’ computers.