Industrial threats Attacks on industrial enterprises using RMS and TeamViewer: new

[harlan4096]

Contents

• Technical Analysis
  
• Spreading
  
• Malware Features
  
• Infrastructure
  
• Recommendations
  
• Appendix I – Indicators of Compromise
  
• Appendix II – MITRE ATT&CK Mapping
  

Executive Summary

In summer 2019, Kaspersky ICS CERT identified a new wave of phishing emails containing various malicious attachments. The emails target companies and organizations from different sectors of the economy that are associated with industrial production in one way or another.

We reported these attacks in 2018 in an article entitled “Attacks on industrial enterprises using RMS and TeamViewer“, but recent data shows that the attackers have modified their attack techniques and that the number of enterprises facing the threat of infection is growing.

Before publishing this report, we waited for the vendor of the RMS software to make changes to its services to ensure that the results of this research could not be used to exploit vulnerabilities.

This report in a nutshell:

• From 2018 to at least the early fall of 2020, attackers sent phishing emails laced with malware.
  
• The attacks make use of social engineering techniques and legitimate documents, such as memos and documents detailing equipment settings or other industrial process information, which have apparently been stolen from the company under attack or its business partners.
  
• The attacks still use remote administration utilities. The graphical user interface of these utilities is hidden by the malware, enabling the attackers to control infected systems without their users’ knowledge.
  
• In the new version of the malware, the attackers changed the notification channel used after infecting a new system: instead of malware command-and-control servers, they use the web interface of the RMS remote administration utility’s cloud infrastructure.
  
• Stealing money from the organization under attack remains the main objective of the attackers.
  
• During an ongoing attack, the cybercriminals use spyware and the Mimikatz utility to steal authentication credentials that are subsequently used to infect other systems on the enterprise network.
  

The full article is available on Kaspersky Threat Intelligence.

For more information please contact: ics-cert@kaspersky.com.

Technical Analysis

Since we described the technical details of this series of attacks in our previous report, Attacks on industrial enterprises using RMS and TeamViewer, in this document we only list the main stages of an attack and describe the changes to the attackers’ tactics and toolset that have been implemented since the publication of the previous report.

Spreading

Phishing emails used in this attack are in most cases disguised as business correspondence between organizations. Specifically, the attackers send claim letters on behalf of a large industrial company.
...

Continue Reading