Unidentified threat actors target Croatian government agencies with new malware

• Attackers used spear-phishing in which the Croatian Post and other services were impersonated in the attack campaign.
• Post-exploitation tools such as SilentTrinity as well as the Empire backdoor were extensively leveraged in this campaign.

An attack campaign that targeted Croatian government agencies earlier this year was found to use new malware for operations. The attack campaign was reportedly active between February and April. For executing it, attackers relied on spear-phishing that impersonated Croatian Post and other services in order to prey on government employees.

According to threat researcher Alexey Vishnyakov of Positive Technologies, the threat actors deployed malware using post-exploitation tools such as SilentTrinity and Empire.

Key highlights

• The spear-phishing campaign copied off delivery notifications of Croatian Post and other related services.
• The phishing emails contained links that looked similar to genuine government websites and asked users to download an Excel attachment.
• A macro in an Excel spreadsheet was used to inject malicious code borrowed from various sources such as StackOverflow, GitHub, Dummies, etc.
• The malicious code would either drop payloads of SilentTrinity or Empire backdoor, and subsequently compromise systems.

Impersonation tactics

In a blog post, Vishnyakov details how they discovered the two-month spanned campaign. One of the factors pointed out was that the attackers impersonated even the domain names of the government sites.

“The domain names were chosen to resemble those of legitimate sites. Such names would presumably arouse less suspicion among phishing targets. Not all the impersonated domains related to Croatia. All attacker domains were registered with WhoisGuard privacy protection. Ordinarily used to protect domain owners from spam by hiding personal information, this feature helped the attackers to remain anonymous,” wrote Vishnyakov in his blog.

After the campaign’s discovery, the Croatian Information Systems Bureau warned government employees of phishing attacks. As of now, the attackers are still unknown.