Symantec's Tony Millington and Gavin O’Gorman have published an interesting article outlining the methodology used in the Nitro attacks targeting defense and chemical companies first uncovered several months ago.
The article indicates that the attacks have continued despite the recent press attention and numerous alerts that have made the rounds in the targeted industries.
"The Nitro Attacks whitepaper, published by Symantec Security Response, was a snapshot of a hacking group’s activity spanning July 2011 to September 2011. The same group is still active, still targeting chemical companies, and still using the same social engineering modus operandi," the article begins.
In a bit of an ironic twist, the attackers have actually incorporated Symantec and their attack by manufacturing a spoofed email purporting to be from the software company that claims to offer protection from the very Trojan the attackers are utilizing in the operation.
"They are sending targets a password-protected archive, through email, which contains a malicious executable. The executable is a variant of Poison IVY and the email topic is some form of upgrade to popular software, or a security update. The most recent email brazenly claims to be from Symantec and offers protection from 'poison Ivy Trojan'," the authors explain.
(click image to enlarge)
The email attachment contains malicious code that the attackers attempt to disguise as a PDF file, though more careful examination reveals the file is actually executable code.
"The attachment itself is called “the_nitro_attackspdf.7z”. The attachment archive contains a file called “the_nitro_attackspdf .exe”. (The large gap between the “pdf” and “.exe” is a basic attempt to fool a user into assuming that the document is a PDF, when it is really a self-extracting archive.)," the article states.
The authors note that the attackers have not changed many key aspects of the operation, even using the same hosting service for their command and control servers.
"Despite the publishing of the whitepaper, this group persists in continuing their activities unchecked. They are using the exact same techniques - even using the same hosting provider for their command and control (C&C) servers. The domains have been disabled and Symantec have [sic] contacted the relevant IP hosting provider and continue to block the emails through the .cloud email scanning service," the authors concluded.
The Nitro attackers are known to have targeted a minimum of 38 companies between July and September prior to Symantec working to interrupt the operation.
Despite Symantec's efforts, the attackers have been able to resume the targeted attacks. Symantec is currently working to further stifle the attacker's efforts to access sensitive data at multiple companies.
Source: http://www.symantec.com/connect/blogs/nitro-attackers-have-some-gall