Novel sophisticated campaign used five distinct identities to target executive in software development services company as launchpad for supply chain attacks; deep learning-based security platform key to thwarting, analyzing attack
Threat actors know that infiltrating large companies with large IT security budgets is a difficult and complicated endeavor. A more effective approach that is becoming increasingly popular with hackers is to attack these bigger companies indirectly by exploiting weaker links in their partner associations, especially IT services companies that often have fewer resources to dedicate to cybersecurity programs. These are known as “supply chain” attacks because they exploit trusted organizational relationships as their attack vector.
Our analysis of recent supply chain attacks targeting a software development services organization revealed novel aspects of the campaign that represent a shift in strategy by threat actors that Blue Hexagon has named “Long-Line.” Long-lining is an offshore commercial fishing method whereby a single vessel sets multiple baited hooks suspended from a cable that is miles in length with the intent of catching large, pelagic fish. Long-Line campaigns are carried out by a single threat actor using multiple elements designed specifically to catch high ranking executives within the target organization. The ultimate goal of a Long-Line attack is to use the compromised organization as a platform for executing supply chain attacks on companies in the outsourcer’s business network.
Supply chain attacks are on the increase. Symantec reports that such incidents went up by 78% in 2018, and a recent report by endpoint security firm Carbon Black estimates that 50% of all attacks are now targeting supply chains. In one high-profile example that took place in April of this year, Indian IT services company Wipro was targeted by a systematic phishing attack that led to the compromise of internal Wipro IT systems. Hackers operating from within Wipro were then able to target the company’s customers and partners, resulting in the compromise of more than a dozen companies in Wipro’s network.
Long-Line attacks are insidious and difficult to detect because they occur within the context of an otherwise trusted business relationship. In one attack against this software development organization, however, Blue Hexagon was able to detect the attack in progress using our deep learning platform. What’s more, we were able to determine–for the first time–that these were not multiple discrete attacks from different hacker groups, but a sophisticated supply chain attack originating from a single threat actor.
This analysis, made possible through the use of Blue Hexagon’s deep learning capabilities, is important because it demonstrates a shift in emphasis from a typical phishing campaign that relies on wide distribution to attempt to fool a small number of recipients. Instead, Long-Lining uses a combination of research, design and precise social engineering in an attempt to fool a single individual, often a highly placed executive. The goal is to use the compromised organization as a platform for launching new attacks on other companies.
Long-Line Attack Analysis
In the attack on the IT services company, Blue Hexagon found that a single threat actor assumed five distinct identities in carrying out the attack. Each identity was tailored to appear to be a company involved with the target organization, each with a different relationship and in different industries:
- An Indian transportation company;
- An Indian textile company;
- An Indian electrical company;
- An Egyptian transportation company; and,
- A construction company based in the UAE.
In each case, the threat actor attempted to entice high level executives, chosen because of their role and apparent relationships to members of the company’s supply chain partners, into viewing the phishing email by using well-designed subjects and attachment names intended to increase the likelihood that the recipient would open the email and attachment in pursuit of a legitimate business purpose. These included:
- Request for quotation (“Request for Quotation for Projects,” “RFQ No. 0658/0319,” “RFQ – Order rates,” “RE: [External] RFQ – Order rates”);
- Request for bank details ([“Re: Fw: Bank Confirmation”, “Fwd: Bank Swift/TT Copy”, “Bank Instruction”]);
- Request for proposal (“RFP INVAC/OW/SOW/2019/037 – Supply & Installation“); and,
- Inquiry (“INQ No. 0658/0319”).
- “Request for Quotation for Projects.doc”
- “INQ No. 06580319.doc”
- “RFQ – Order rates.doc”
- “Scope of Work.xlsx”
- “BANK DOCUMENT.doc”
- “RFQ No. 06580319.doc”
- “ORDER LIST .doc”
In each case, the attack vector was a document carrying an exploit that allowed the threat actor to execute code on the victim’s system. Once the victim clicked on the attachment, the following steps in the cyber killchain unfolded, leading to infection:
1. Download Agent Tesla Malware
- The Victim’s system downloads different windows executables hosted on the domain tvfn.com.vn
- What follows is a Blue Hexagon similarity graph (Figure 5) on the different malware executables that were served by the domain tfvn.com.vn. This similarity graph projects how our HexNet deep learning models views these executables in the embedding space. This graph helps us understand the similarities and dissimilarities between each threat sample from this campaign. Each point on the x and y axis represents a particular threat sample. A sample’s similarity to itself is by definition high — shades of blue indicate the level of dissimilarity; darker denotes increased dissimilarity.
- This PCA (Principal component analysis) graph in Figure 6 is another representation of how our HexNet deep learning models view the malicious executables. The three clusters means that all the malware samples can be categorized into 3 distinct malware families based on their feature vectors. This is important because threat actors go to great lengths to defeat traditional signature and heuristic defense mechanisms, but this example demonstrates how difficult it is to evade our deep learning-powered platform.
The domain tfvn.com.vn impersonates the Vietnamese website for a leading Japanese metal hoses and expansion joints company. See the difference between Figure 7 (real website) and Figure 8 (impersonated website).
It is important to note that the Vietnamese government does not publish registrar information for domains registered in Vietnam. The threat actors behind this were aware of this and used it to their advantage. (Note: at time of blog publication, the server is no longer serving up binaries listed in this blog)
2. Execute Agent Tesla to Steal Sensitive Information
Agent Tesla can be categorized as an information stealer as it is capable of stealing sensitive information including, but not limited to, the following categories of software:
- Web Browsers: Google Chrome, Mozilla Firefox, Opera, Chromium, Chrome Plus by Maple Studio, Yandex, Orbitum
- Email Clients: Mozilla Thunderbird, Microsoft Outlook, Aerofox Foxmail, IncrediMail, Qualcomm Eudora
- FTP Clients: WinSCP, SmartFTP, Filezilla, WS_FTP by IPSwitch, CoreFTP by FTPWare
- Internet Download Manager
Upon execution, Agent Tesla exfiltrates information to an attacker-controlled SMTP server.
3. Exfiltrate Stolen Data to an Attacker-Controlled SMTP Server
The exfiltrated data is sent via encrypted SMTP messages to mail.privateemail.com on SMTP Port 587 over TLS.
- Exfiltrates the stolen data to mail.privateemail.com, an SMTP mail server controlled by the threat actor.
- The domain privateemail.com is a web-based private email hosting provided by NameCheap.
- Analyzing malware data exfiltration via network traffic capture in Wireshark.
Why TCP Port 587 over TCP Port 25?
The malware chooses TCP Port 587 for SMTP message submission over TCP Port 25 as Port 587 supports explicit encryption of the SMTP messages with TLS Encryption by issuing the STARTTLS command.
Despite the drastic measures taken by the threat actor to impersonate various identities, the Blue Hexagon Deep Learning Platform, powered by our HexNet architecture, was successful in identifying and blocking the Long-Line attack in progress. Further analysis allowed our team to then attribute the attack to a single threat group. We are in the process of conducting further analysis to attempt to identify the country of origin and whether the threat group is a known entity or a new group.
Our initial analysis leads Blue Hexagon to conclude that Long-Lining is a novel twist on a typical phishing campaign. It is also far more sophisticated than a spearphishing campaign that may target a single individual, but lacks the level of persistence and design sophistication that characterizes Long-Lining.
Indicators of Compromise
SHA-256 Hashes of Weaponized Documents Carrying Exploits
- 008937e9e926856a1865ed54f1057248f23bf11aa98abbaba29e9204e11e6bc2 (Construction)
- 64a5725c659947d7a653e6f541a207556b4fb0d27d9557e14fc15e6215d18e7f (Textile)
- bbab4012436a8a9d374b99708fcd1c5bc828bb0d361ecb62cbadd05bc3d56d7e (Electrical)
- 71ba3ca0808f19024cd7ad366f29ac5245723266a7b054aea442f2afb47651b5 (Transportation)
- f9e57f61bc36e09b2acecb201ae0aea93dd70cf077b7528e33c51fbd66ee1f43 (Transportation)
- f31d04d7eb3fd452f5d489b76f76ec446dddcf1b4ad0a5eb7e4231bbc826a079 (Transportation)
- ff5ac63ad6eb95cf5ff4bd5bc777de0dc222180cc1584eacbfcd112b61987b99 (Transportation)
SHA-256 Hashes of Malware Executables
SMTP Mail Server used for Data Exfiltration