New cyberespionage campaign found targeting Russian service centers

An unknown hacker group has been found targeting Russian service centres that offer maintenance and support for a variety of devices, security researchers have discovered. According to Fortiguard Labs, the attackers are using fake emails, malicious Microsoft Office documents and a variety of unpacking methods for Imminent Monitor.

Imminent Monitor Tool is a free and legitimate Remote system administration software tool designed for Windows OS but has been leveraged by hackers as as a Remote Access Trojan. In this campaign, it has been used to perform multiple malicious spy and control functionalities on targeted computers.

Imminent monitor tool features two modules for recording video from a victim’s webcam as well as three others with spy and control functionalities, including viewing file contents.

The threat actors have used targeted phishing emails purportedly from Samsung to lure victims into downloading download malicious attachments.

“The emails contain Excel files with the same naming convention that the targeted company uses in legitimate transactions” Fortiguard Labs researchers wrote in a blog post. “The email was specifically sent to the service company that repairs Samsung’s electronic devices.”

The Excel file attachments are taken from a legitimate source and then injected with malicious code using the vulnerability CVE-2017-11882 that affects Microsoft Office files. The vulnerability specifically affects Equation Editor (eqnedt32.exe) which is used by Microsoft Office users to insert mathematical and scientific equations. This campaign targets the buffer overflow bug in the Equation Editor, which Microsoft patched last year.

“The malware authors clearly love this vulnerability because it allows them to achieve a stable exploitation across all current Windows platforms,” the researchers said. “The use of exploits is more efficient than the use of simple executable files, especially since the level of threat-awareness among users has sufficiently grown in recent years. It is simply not that easy to trick a user to opening executable file as it was before. Exploits are a different case.”

The exploit’s shellcode first analyzes the export directory of kernel32.dll for two key functions - LoadLibraryA and GetProcAddress. These are used to obtain the addresses of other necessary functions of the attack. The shellcode then downloads the Imminent Monitor payload which comes with five layers of protection including the ConfuserEx packer and BootstrapCS executable Finally the downloaded file uses “lzma.dll” library from 7Zip to extract itself.

Even Though the “From” address in the email and the content appears to be Russian, the email header reveals that the the sender has no connection with the email address domain. Researchers hinted that it is highly unlikely that a native Russian speaker has written the text.

"We also analyzed the C2 servers used in these attacks. Based on the registrant data we have found 50 domains which were all registered on the same day. Some of these domains have already been used for malware spreading." said researchers. “Another group was linked to the phishing campaigns. We believe that this same group of attackers are behind both groups of samples.”