August 8, 2017 By Douglas Bonderud 2 min read

Why phish when you can spear phish? According to Trend Micro, this appears to be the purpose behind a recent set of malicious emails aimed at Russian enterprises. Attackers used a combination of highly specific, socially persuasive emails to breach corporate security and then leverage existing Windows protocols to create persistent backdoors.

When successful, cybercriminals gained the ability to download and delete files, download new scripts, terminate current scripts and run shell commands. This begs the question: How can enterprises sidestep the spear and make sure employees don’t get phished?

Backdoor Break-Ins

As noted by the Trend Micro piece, malicious actors used a combination of existing exploits and legitimate Windows functions to create a reliable and sophisticated backdoor system. Researchers observed at least five runs of emails occurring from June 23 to July 27 this year. Each run sent multiple emails per target, using different emails for each run and for each target.

Infections began with emails that appeared to be from sales or billing departments with subject lines such as “rules for connecting to the gateway” or “payment of state duties.” The emails contained a legitimate-looking .doc attachment, which was actually a customized rich text format (RTF) file that leveraged known exploit CVE-2017-0199, part of Microsoft Office’s Windows Object Linking and Embedding (OLE) interface.

This exploit let threat actors download a fake Excel spreadsheet that’s actually treated like an HTML application embedded with malicious JavaScript. It then ran two PowerShell scripts, one decoy and one that grabbed a DLL file. This file then dropped another file in the %AppData% folder with a .txt extension, but it was actually a scriptlet file loaded with more JavaScript.

The new file used Regsvr32 to bypass restrictions on running scripts and evade whitelisting protocols. Finally, another XML file was downloaded to serve as the primary backdoor.

Sound convoluted? It is — and purposefully so. The combination of continued obfuscation and abuse of legitimate command structures makes it extremely difficult to detect this malware in progress or remove backdoor code once it’s embedded in the system.

Staying Safe From Malicious Emails

While late-chain functions of this backdoor campaign are hard to detect — let alone stop — most phishing and spear phishing attacks start the same way: malicious emails.

For many enterprises, it’s tempting to view email security as something so basic, so necessary and so frequently addressed that employees couldn’t possibly allow cybercriminals to gain system access. According to CNN, however, a self-described email prankster managed to fool multiple employees of the U.S. government by posing as high-profile individuals. While no state secrets were spilled or networks breached, the prank shows just how easily legitimate-looking emails can slip past staff.

So how can companies sidestep the spear? Start by warning staff never to open attachments they’re not 100 percent sure about, then follow up by enforcing strict patch management for Microsoft Office and turning off auto-run for .doc macros.

It’s also a good idea to ensure that users possess only the network privileges they need for day-to-day tasks. Organization should also blacklist specific command interpreters or rarely used applications. Trend Micro noted that this “could affect legitimate system functions,” but slightly compromised performance always outweighs persistent backdoors.

Malicious emails are spearing Russian enterprises. Stay safe by recognizing the telltale tip of the phishing spear, training employees to err on the side of caution, and taking steps to limit application and network permissions.

More from

Cloud Threat Landscape Report: AI-generated attacks low for the cloud

2 min read - For the last couple of years, a lot of attention has been placed on the evolutionary state of artificial intelligence (AI) technology and its impact on cybersecurity. In many industries, the risks associated with AI-generated attacks are still present and concerning, especially with the global average of data breach costs increasing by 10% from last year.However, according to the most recent Cloud Threat Landscape Report released by IBM’s X-Force team, the near-term threat of an AI-generated attack targeting cloud computing…

Testing the limits of generative AI: How red teaming exposes vulnerabilities in AI models

4 min read - With generative artificial intelligence (gen AI) on the frontlines of information security, red teams play an essential role in identifying vulnerabilities that others can overlook.With the average cost of a data breach reaching an all-time high of $4.88 million in 2024, businesses need to know exactly where their vulnerabilities lie. Given the remarkable pace at which they’re adopting gen AI, there’s a good chance that some of those vulnerabilities lie in AI models themselves — or the data used to…

FBI, CISA issue warning for cross Apple-Android texting

3 min read - CISA and the FBI recently released a joint statement that the People's Republic of China (PRC) is targeting commercial telecommunications infrastructure as part of a significant cyber espionage campaign. As a result, the agencies released a joint guide, Enhanced Visibility and Hardening Guidance for Communications Infrastructure, with best practices organizations and agencies should adopt to protect against this espionage threat. According to the statement, PRC-affiliated actors compromised networks at multiple telecommunication companies. They stole customer call records data as well…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today