Why phish when you can spear phish? According to Trend Micro, this appears to be the purpose behind a recent set of malicious emails aimed at Russian enterprises. Attackers used a combination of highly specific, socially persuasive emails to breach corporate security and then leverage existing Windows protocols to create persistent backdoors.

When successful, cybercriminals gained the ability to download and delete files, download new scripts, terminate current scripts and run shell commands. This begs the question: How can enterprises sidestep the spear and make sure employees don’t get phished?

Backdoor Break-Ins

As noted by the Trend Micro piece, malicious actors used a combination of existing exploits and legitimate Windows functions to create a reliable and sophisticated backdoor system. Researchers observed at least five runs of emails occurring from June 23 to July 27 this year. Each run sent multiple emails per target, using different emails for each run and for each target.

Infections began with emails that appeared to be from sales or billing departments with subject lines such as “rules for connecting to the gateway” or “payment of state duties.” The emails contained a legitimate-looking .doc attachment, which was actually a customized rich text format (RTF) file that leveraged known exploit CVE-2017-0199, part of Microsoft Office’s Windows Object Linking and Embedding (OLE) interface.

This exploit let threat actors download a fake Excel spreadsheet that’s actually treated like an HTML application embedded with malicious JavaScript. It then ran two PowerShell scripts, one decoy and one that grabbed a DLL file. This file then dropped another file in the %AppData% folder with a .txt extension, but it was actually a scriptlet file loaded with more JavaScript.

The new file used Regsvr32 to bypass restrictions on running scripts and evade whitelisting protocols. Finally, another XML file was downloaded to serve as the primary backdoor.

Sound convoluted? It is — and purposefully so. The combination of continued obfuscation and abuse of legitimate command structures makes it extremely difficult to detect this malware in progress or remove backdoor code once it’s embedded in the system.

Staying Safe From Malicious Emails

While late-chain functions of this backdoor campaign are hard to detect — let alone stop — most phishing and spear phishing attacks start the same way: malicious emails.

For many enterprises, it’s tempting to view email security as something so basic, so necessary and so frequently addressed that employees couldn’t possibly allow cybercriminals to gain system access. According to CNN, however, a self-described email prankster managed to fool multiple employees of the U.S. government by posing as high-profile individuals. While no state secrets were spilled or networks breached, the prank shows just how easily legitimate-looking emails can slip past staff.

So how can companies sidestep the spear? Start by warning staff never to open attachments they’re not 100 percent sure about, then follow up by enforcing strict patch management for Microsoft Office and turning off auto-run for .doc macros.

It’s also a good idea to ensure that users possess only the network privileges they need for day-to-day tasks. Organization should also blacklist specific command interpreters or rarely used applications. Trend Micro noted that this “could affect legitimate system functions,” but slightly compromised performance always outweighs persistent backdoors.

Malicious emails are spearing Russian enterprises. Stay safe by recognizing the telltale tip of the phishing spear, training employees to err on the side of caution, and taking steps to limit application and network permissions.

More from

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Why Operational Technology Security Cannot Be Avoided

Operational technology (OT) includes any hardware and software that directly monitors and controls industrial equipment and all its assets, processes and events to detect or initiate a change. Yet despite occupying a critical role in a large number of essential industries, OT security is also uniquely vulnerable to attack. From power grids to nuclear plants, attacks on OT systems have caused devastating work interruptions and physical damage in industries across the globe. In fact, cyberattacks with OT targets have substantially…

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…