Security teams are being warned of a just-discovered family of malicious Microsoft Office macros which may have been quietly in use for a decade.
Researchers at Palo Alto Networks said Monday they have identified and collected over 40 variants of the previously unpublished malware family they dub “Infy.”
“We believe that we have uncovered a decade-long operation that has successfully stayed under the radar for most of its existence as targeted espionage originating from Iran,” says the report. “It is aimed at governments and businesses of multiple nations as well as its own citizens.”
The discovery started 12 months ago when Palo Alto Networks detected two e-mails carrying malicious documents from a compromised Israeli Gmail account used by an Israeli industrial organization. One e-mail carried a Microsoft PowerPoint file named “thanks.pps” (VirusTotal), the other a Microsoft Word document named “request.docx”. Around the same time the vendor also captured an e-mail containing a Word document (“hello.docx”) with an identical hash as the earlier Word document, this time sent to a U.S. government recipient.
Attacks using Infy typically start with a spear-phishing e-mail carrying a Word or PowerPoint document, researchers say, which contains a multi-layer Self-Extracting Executable Archive (SFX). If a PPS file, when clicked the user sees a PowerPoint page that mimics a paused movie. That encourages the victim to clicking “Run,” which allows the embedded SFX file to execute.
The executable installs the mail payload, a DLL filed that writes to the autorun registry key, and doesn’t activate until a reboot. After reboot, it first checks for antivirus and then connects to a command and control server (C2). It starts collecting environment data from the infected system, initiates a keylogger, and steals browser passwords and content such as cookies, before exfiltrating the stolen data to the C2 server.
Researchers found a file with an identical hash as the originally-discovered malicious PowerPoint file but a different filename (“syria.pps”), uploaded to VirusTotal in May of 2015. A characteristic observed across these campaigns is that the actor puts deliberate effort into the specific geographic targeting, with region-specific attack content. They also found a report by the Danish Defense Intelligence Service’s Center for Cybersecurity, which had observed similar attacks against Danish government targets. In addition they found additional malware and campaigns based on infrastructure, hashes, strings, and payload links and other similarities.
Based on a specific encoding technique and key found researchers identified related Infy samples from as early as mid 2007 in VirusTotal, a free service that analyzes suspicious files and URLs. There is evidence that the C2 domain associated with the oldest sample found that it may have been at work as far back as December 2004.
Fortunately, most of the associated malware samples dating back over the last five years were eventually detected by antivirus programs, says the report, but in most cases with a generic signature.
At any rate, it’s another example of why CISOs have to initiate enterprise-wide campaigns to regularly remind employees to slow down and carefully read email, particularly those that include attachments — and before clicking on attachments make a phone call and check if the sender is legit. Having up to date antimalware and software helps as well.
