loader gif

Special Ear cyberespionage campaign uses fake invoice emails to drop data-stealing malware

Special Ear cyberespionage campaign uses fake invoice emails to drop data-stealing malware
  • Organizations in India, Saudi Arabia and South East Asia are primarily being targeted.
  • The ‘specially built Trojan’ is delivered via a portable executable file.

Security researchers at LMNTRIX have uncovered a new cyber espionage campaign targeting shipping and transportation industries. Dubbed 'Special Ear', the hacking campaign has seen attackers send thousands of phishing emails to entice trick users into downloading a data-stealing malware.

Researchers noted Special Ear has been active since May this year and has been primarily targeting organizations in India, Saudi Arabia and South East Asia.

The phishing emails are typically disguised as invoice messages for companies such as purchase orders. The attackers have also further customized the messages to make them appear more legitimate by including the top level domain of the country that the email is targeting. For instance, in India, the attack campaign is executed from an address with a ".co.in' domain. Meanwhile, in Saudi Arabia, the spam emails came from a a ".com.sa" domain.

The malware itself is delivered via a portable executable file and is designed to steal credentials and log keystrokes from targeted systems.

According to the domain searching tool WHOIS, the spam emails appear to be originating from the Netherlands. However, researchers have tied the campaign to hackers based in China.

"The Chinese phrases and their excessive appearance in the Portable Executable file imply a Chinese origin. In almost every instance where Chinese characters could be used, they were used -- this is a common obfuscation technique of Chinese threat actors," lead threat researcher at LMNTRIX Bipro Bhattacharjee told ZDNet."As the target region for the campaign was non-Chinese speaking countries, we believe the priority was to hide the code's functionality, rather than the campaign's Chinese origin."

The malware is also capable of obfuscating any API calls as well to hide its activities.

It is still unclear if and how many targeted organizations have fallen victim to this campaign. However, researchers have noted that not all antivirus software were able to detect the malware, increasing the likelihood of successful infections.

loader gif