MUMBAI, INDIA: Attackers have been spreading two families of remote access Trojans (RATs) to small businesses in India, the UK, and US since the start of 2015. The attackers have been targeting employees responsible for accounts and fund transfers in order to steal money from affected organizations.
The attackers operate with few resources, rely on social engineering rather than exploits, and use two publicly available RATs−Backdoor.Breut and Trojan.Nancrat. However, despite these limitations, the attackers can gain a huge amount of control of victim computers thanks to the malware’s multi-purpose capabilities, says a new set of findings from Symantec.
The campaigns have been occurring since at least early 2015. For most of the year, the targets were mainly located in India, while some others were in the US and other regions. However, activity in India and US has dropped in the past few months while the number of infections in the UK has increased.
In early 2015, the attackers used Backdoor.Breut to mainly target Indian organizations. After August, they used Trojan.Nancrat against UK targets while keeping Backdoor.Breut for other regions.
The attackers, as the findings point out, don’t focus on specific industries or organizations; they work to gain access to whichever business they can. If they can’t compromise a company, then they move on to another.
The attackers spread the RATs by sending emails from spoofed or stolen accounts. Based on campaigns run by Symantec’s Phishing Readiness solution, it’s been indicated that, on average, employees are susceptible to email-based attacks 18 percent of the time, which is one of the reasons why attackers have exploited this access point so much when trying to spreading RATs quickly and effectively.
The majority of the messages are sent in the afternoon during Greenwich Mean Time (GMT) or morning during Eastern Standard Time (EST). This suggests that the attackers are based in Europe or the US. The subjects of their messages relate to finance in order to lure employees that have access to the targeted organizations’ accounts. Some examples include Re:Invoice; PO; Remittance Advice; Payment Advise; Quotation Required; Transfer Copy
TT Payment; PAYMENT REMITTANCE; INQUIRY; QUOTATION; Request for Quotation etc.
The emails include archive file attachments, usually with the .zip extensions. If the target opens the file, then their computer is infected with either Backdoor.Breut or Trojan.Nancrat. Both of these threats give the attackers complete control of the victim’s computer.
Through these infections, the attackers can access the webcam and microphone, log keystrokes, steal files and passwords, and more. The attackers have been observed using the targeted employee’s privileged access to transfer money to an account under their control.
Once a computer is compromised, the attackers spend time assessing it to find out how to steal the money. In some cases, attackers have been known to even download manuals to figure out how to use certain financial software. After they are finished with the computer, they return to sending emails to other targets. This suggests that there are a small number of attackers involved in these campaigns.
While advanced attack groups attract a lot of attention in the news, it’s important to remember that less skilled attackers can still cause major damages to a targeted company.
Even though the attackers in this case have limited resources, they can use Backdoor.Breut and Trojan.Nacrat to gain total access to a computer. By focusing their RAT infections on specific employees, the attackers can potentially steal a substantial amount of money and sensitive information from affected businesses.
We have seen other campaigns with similar tactics focusing on financial employees, avers Symantec. "For example, in December, four attack groups targeted Columbian finance departments with malicious email attachments to deliver the W32.Extrat RAT. Given the continued focus on these types of tactics by attackers, businesses around the world should know how to protect their assets against these kinds of operations."
Symantec also suggests mitigation measures. As the attackers in this case use basic social-engineering tactics in their campaigns, users should adhere to the following advice to avoid compromises in the first place.
It advises:
- Do not open attachments or click on links in suspicious email messages
- Avoid providing any personal information when answering an email
- Never enter personal information in a pop-up web page
- Keep security software up to date
- If you’re uncertain about an email’s legitimacy, contact your internal IT department or submit the email to Symantec Security Response through this portal.