Researchers have uncovered several spyware campaigns that target industrial companies, aiming to steal credentials from email accounts and conduct financial fraud or resell them to other actors.
Actors use off-the-shelf spyware tools, but only deploy each variant for a very limited time to evade detection.
AgentTesla/Origin Logger, HawkEye, Noon/Formbook, Masslogger, Snake Keylogger, Azorult and Lokibot are examples of common malware used in attacks.
An unusual attack
Kaspersky calls these spyware attacks “anomalous” due to their very short-lived nature compared to what is considered typical in the field.
Specifically, the lifetime of attacks is limited to around 25 days, whereas most spyware campaigns last for several months or even years.
The number of systems attacked in these campaigns is always less than a hundred, half of which are ICS (integrated computer systems) machines deployed in an industrial environment.
Another unusual element is the use of the SMTP-based communication protocol to exfiltrate data to the C2 server controlled by the actor.
Unlike HTTPS, which is used in most standard spyware campaigns for C2 communication, SMTP is a one-way channel that only deals with data theft.
SMTP isn’t a common choice for hackers because it can’t grab binaries or other non-text files, but it thrives on its simplicity and ability to blend in with normal network traffic.
Steal credentials to aid infiltration
Actors use stolen employee credentials they acquire through spear phishing to infiltrate deeper and move laterally into the corporate network.
Additionally, they use corporate mailboxes compromised in previous attacks as C2 servers for new attacks, making detection and reporting of malicious internal correspondence very difficult.
“Intriguingly, enterprise anti-spam technologies help attackers go undetected while exfiltrating stolen credentials from infected machines by making them ‘invisible’ among all the useless emails in spam folders.” – Explain The Kaspersky report
In terms of numbers, analysts have identified at least 2,000 corporate email accounts abused as temporary C2 servers and another 7,000 email accounts abused in other ways.
Selling on dark web markets
Many RDP, SMTP, SSH, cPanel, and VPN account credentials stolen in these campaigns are posted on dark web marketplaces and eventually sold to other threat actors.
According to Kaspersky’s statistical analysis, about 3.9% of all RDP accounts sold on these illegal markets belong to industrial companies.
RDP (Remote Desktop Protocol) accounts are valuable to cybercriminals because they allow them to remotely access compromised machines and interact directly with a device without raising any red flags.
Typically, these lists attract the interest of ransomware actors who use RDP access to deploy their devastating malware.